Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Disable weak encryption on web server IIS

Posted on 2014-11-19
3
Medium Priority
?
553 Views
Last Modified: 2015-03-05
Hello Team,

I have a web server that has been reported to have weak TLSv1 ciphers:
o      EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export
o      EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
o      EXP1024-DES-CBC-SHA Kx=RSA(1024) Au=RSA Enc=DES-CBC(56) Mac=SHA1 export
o      EXP1024-RC4-SHA Kx=RSA(1024) Au=RSA Enc=RC4(56) Mac=SHA1 export

How can I disable this type of encryption?

Thank you.
0
Comment
Question by:exTechnology
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 6

Assisted Solution

by:Sir Learnalot
Sir Learnalot earned 664 total points
ID: 40452436
There is an official Microsoft article on this. Here you go :)

https://support.microsoft.com/kb/187498
0
 
LVL 4

Accepted Solution

by:
FrankCrast earned 668 total points
ID: 40456998
Hello, I just posted something to similar question posted previously. Feel free to use links below in addition to link above. Also KB article below (245030) has some good support on how to change your cipher order to remove older ciphers and also add more secure ones in priority order. You may also consider adding ECDHE ciphers for Perfect Forward Secrecy (if your systems support it) on the very top, followed by RC4, AES, etc. Google has a good write-up on this as well. Make sure to remove older (weak) ciphers you seem to have listed like RC2, MD5, DES.

First, make sure to disable SSL v3 in addition to v2 protocols. Check out articles below that can help with steps needed to enable TLS 1.0, 1.1, and 1.2 as well.

Mitigating SSL v3: https://technet.microsoft.com/en-us/library/security/3009008.aspx

Details for adding support for TLS 1.0/1.1/1.2 and cipher ordering: How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll: http://support.microsoft.com/kb/245030 

Poodle attack (due to SSL vulnerability): http://www.scmagazine.com/mitm-attacks-can-force-a-downgrade-to-ssl-30/article/377513/

Hope this helps.
0
 
LVL 15

Assisted Solution

by:Giovanni Heward
Giovanni Heward earned 668 total points
ID: 40505761
Download the latest version of IIS Crypto to make the necessary changes easier.

IIS Crypto
0

Featured Post

Introducing the WatchGuard 420 Access Point

WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Worried about if Apple can protect your documents, photos, and everything else that gets stored in iCloud? Read on to find out what Apple really uses to make things secure.
How does someone stay on the right and legal side of the hacking world?
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question