[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

SSL Server Supports Weak Encryption Vulnerability

Posted on 2011-10-31
12
Medium Priority
?
782 Views
Last Modified: 2012-11-23
We are doing a scan of our network and getting the error in the picture
 pic1I did do the following edits to the server
http://gabriel.rabbaa.net/systems/how-to-restrict-the-use-of-certain-cryptographic-algorithms-and-protocols-in-schannel-dll-ciphers-in-windows-2003/

But we are still getting the error

0
Comment
Question by:Aaron Thorn
  • 7
  • 4
12 Comments
 
LVL 8

Expert Comment

by:vinsvin
ID: 37057950
IIS 6.0 Security Best Practices (IIS 6.0)

General Best Practices
• Log on with the least credentials. Log on to your computer using an account that is not in the Administrators group, and then use the Run as command to run IIS Manager as an administrator.
 
• Reduce the attack surface. Disable all services you do not need, including IIS services such as FTP, NNTP or SMTP. If a feature or service is not enabled, then there is no need to secure it.
 
• Do not download or run programs from untrusted sources. Programs can contain instructions to violate security in a number of ways including data theft, denial of service, and data destruction.
 
• Keep virus scanners up to date. Virus scanners frequently identify infected files by scanning for a signature that is a known component of a previously identified virus. The scanners keep these virus signatures in a signature file, which is usually stored on the local hard disk. Because new viruses are discovered frequently, this file should also be updated frequently for the virus scanner to easily identify all current viruses.
 
• Keep current with all software updates. Software updates provide solutions to known security issues. Check software provider Web sites periodically to see if there are new updates available for software used in your organization.

• The new process model in IIS 6.0 includes process recycling, which means an administrator can easily install most IIS updates and most new worker process DLLs without any interruption of service.
 
• Auto Update version 1.0 provides three options to customers: notify update availability the moment it is available; download the update, and notify that it has been downloaded; and scheduled install. For more information, see "Windows Automatic Updates" in Help and Support Center for Windows Server 2003.
 
 
• Use NTFS. The NTFS file system is more secure than the FAT or FAT32 file system.
 
• Assign strong NTFS permissions for your resources.
 
• Exercise caution with domain controllers. If you use a domain controller as an application server, be aware that if security is compromised on the domain controller, then security is compromised on the entire domain.
 
• Restrict write access permissions for the IUSR_computername account. This will help limit the access anonymous users have to your computer.
 
• Store executable files in a separate directory. This makes it easier to assign access permissions and audit for administrators.
 
• Create a group for all anonymous user accounts. You can deny access permissions to resources based on this group membership.
 
• Deny execute permissions for anonymous users to all executables in Windows directories and subdirectories.
 
• Use IP address restriction if administering IIS remotely. For more information, see Securing Sites with IP Address Restrictions.
 
• Assign the most restrictive permissions possible. For example, if your Web site is used only for viewing information, assign only Read permissions. If a directory or site contains applications, assign Scripts Only permissions instead of Scripts and Executables permissions. For more information, see Securing Sites with Web Site Permissions.
 
• Do not assign Write and Script source access permissions or Scripts and Executables permissions. Use this combination with extreme caution. It can allow a user to upload potentially harmful executable files to your server and run them. For more information, see Securing Sites with Web Site Permissions.
 
• Enable data encryption in all WMI-based remote administration scripts. For more information, see Encrypting Data When Running WMI–Based Remote Administration Scripts.
 
• Ensure that the VeriSign Intermediate Root CA on your Web server is up to date. Verify the expiration date, and update the Intermediate Root CA if necessary. The new VeriSign Intermediate Root CA has the following properties:

Issued to: www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
Issued by: Class 3 Public Primary Certification Authority
Valid from: 4/16/97 to 10/24/11
 
0
 

Author Comment

by:Aaron Thorn
ID: 37058188
My question is how do i make the server do this ?
0
 

Author Comment

by:Aaron Thorn
ID: 37058194
Or is this a update i must have to (IIS 6.0)
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
LVL 16

Expert Comment

by:AlexPace
ID: 37058831
Does the test actually attempt to negotiate an SSL channel using a weak cipher?  

What criteria determine failure?  Do specific ciphers always fail or only when they are under some minimum key length?  

That screenshot does not provide enough information to let you know what exactly the testing program did that it considers a failure.  If a test won't tell you why you failed it isn't a very useful test.
0
 

Author Comment

by:Aaron Thorn
ID: 37058862
This is all it will tell me   I can call if this does not help  
pic 1
0
 
LVL 16

Expert Comment

by:AlexPace
ID: 37058925
It looks like the page has instructions for Apache and Tomcat but the IIS instructions are cut off at the bottom, is there a page 2?

The test says it considers any key length less than 128 a failure so, going back to that blog post by Gabriel Rabbaa, I guess I would look at the same registry location and see if there are other ciphers listed with shorter key lengths and if so disable those also.  The blog doesn't mention if you need to restart IIS for these changes to take effect but it wouldnt shock me if that was necessary.
0
 

Author Comment

by:Aaron Thorn
ID: 37058937
.
0
 
LVL 16

Expert Comment

by:AlexPace
ID: 37059025
Bingo, those at the top of page 2 should be links, if they are not, just type the title into a search engine:

how to restrict the use of certain cryptographic algorithms and protocols in schannel.dll

It says you'll have to restart windows for it to work and then that chart at the bottom shows which ones you'll need to disable to pass this test.

 
0
 

Author Comment

by:Aaron Thorn
ID: 37059315
hmmm   I did make all the changes and still getting the same error
0
 
LVL 16

Accepted Solution

by:
AlexPace earned 2000 total points
ID: 37059317
and you rebooted?
0
 

Author Comment

by:Aaron Thorn
ID: 37059320
yep
0
 

Author Comment

by:Aaron Thorn
ID: 37059377
never mind it looks to be ok now   Thanks  
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Worried about if Apple can protect your documents, photos, and everything else that gets stored in iCloud? Read on to find out what Apple really uses to make things secure.
The recent Petya-like ransomware attack served a big blow to hundreds of banks, corporations and government offices The Acronis blog takes a closer look at this damaging worm to see what’s behind it – and offers up tips on how you can safeguard your…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question