[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

restricting low strength Ciphers not working on Server 2008 R2

Posted on 2012-08-27
6
Medium Priority
?
3,135 Views
Last Modified: 2012-09-02
To pass a Nessus scan (Server 2008 R2) we made the appropriate registry changes to disable SSL v2 and low strength ciphers.  Did this based on the MS support document that many people reference, and by importing standard security enhancing registry keys available on many security related web sites (i.e., we did not make the registry corrections by hand)

http://support.microsoft.com/kb/245030

However, a few low strength ciphers remain on the Nessus scan and are confirmed by THCSSLCheck in TLS v1 and SSL v3  (SSL v2 is disabled)

EXP-EDH-RSA-DES-CBC-SHA -  40 Bits
EXP-DES-CBC-SHA -  40 Bits
EXP-RC4-MD5 -  40 bits

EDH-RSA-DES-CBC-SHA -  56 Bits
EDH-DSS-DES-CBC-SHA -  56 Bits

Each of the following registry locations has a binary DWORD of Enabled = 0

HKLM...\SCHANNEL\Ciphers\DES 56\56
        RC2 40/128
         RC2 56/128
        DES 56/56
         RC4 40/128
         RC4 56/128

These entries should have disabled these low strength Ciphers.

What am I missing?  Are there other specific keys or entries required?  Does there need to be an entry for SCHANNEL\Hashes  or something else
0
Comment
Question by:dakota5
  • 3
  • 3
6 Comments
 

Author Comment

by:dakota5
ID: 38338388
I just learned that Dell OMSA (systems management) creates a webserver on servers it is loaded on, and the default is not high Cipher strength.  That is the source of one of my low cipher strength Nessus warnings.

But I don't understand-- Don't the registry settings I listed above force ALL applications to use high strength Ciphers?

How is the Dell OMSA getting around (ignoring) the registry settings?
0
 
LVL 65

Expert Comment

by:btan
ID: 38339894
From forum it stated for example for ssl2.0 to also include DWORD key called "DisabledByDefault"  as additional one to disable too. Noted the MS link you shared also mentioned that

http://social.technet.microsoft.com/wiki/contents/articles/2249.how-to-disable-sslv2-on-a-windows-server-2008-and-windows-server-2008-r2-domain-controller-dsforum2wiki.aspx

http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/1cf01f33-9cbe-4b76-b01c-83923c4cda04

==============
execute all of the 3 lines to be on the secure side:

reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" /ve /f

reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server"  /t REG_DWORD  /v Enabled  /d 0 /f

reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server"  /t REG_DWORD  /v DisabledByDefault  /d 1 /f
0
 
LVL 65

Assisted Solution

by:btan
btan earned 2000 total points
ID: 38339900
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 

Assisted Solution

by:dakota5
dakota5 earned 0 total points
ID: 38342213
The defensia tool is excellent.

But I've checked-- small internal web applications like Dell OpenManage Server Administrator, CyberPower PowerPanel (for monitoring battery backups), and others frequently use Apache Tomcat Java servers.


These don't use microsoft SCHANNEL registry settings for limiting SSL to high encryption.  Looking at the Apache Tomcat web site---Looks like one needs to make changes using command line entries.

Correct me if I'm wrong
0
 
LVL 65

Accepted Solution

by:
btan earned 2000 total points
ID: 38343800
Agree no registry or of this sort for apache web servers. Mostly to do with its http.conf  and its mod_ssl module.

http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html
0
 

Author Closing Comment

by:dakota5
ID: 38358497
I've included one of my own answers because it summarizes the input of the contributing expert.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Encryption for Business Encryption (https://en.wikipedia.org/wiki/Encryption) ensures the safety of our data when sending emails. In most cases, to read an encrypted email you must enter a secret key that will enable you to decrypt the email. T…
A phishing scam that claims a recipient’s credit card details have been “suspended” is the latest trend in spoof emails.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question