Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Disable weak encryption on web server IIS

Posted on 2014-11-19
3
Medium Priority
?
620 Views
Last Modified: 2015-03-05
Hello Team,

I have a web server that has been reported to have weak TLSv1 ciphers:
o      EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export
o      EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
o      EXP1024-DES-CBC-SHA Kx=RSA(1024) Au=RSA Enc=DES-CBC(56) Mac=SHA1 export
o      EXP1024-RC4-SHA Kx=RSA(1024) Au=RSA Enc=RC4(56) Mac=SHA1 export

How can I disable this type of encryption?

Thank you.
0
Comment
Question by:exTechnology
3 Comments
 
LVL 6

Assisted Solution

by:Sir Learnalot
Sir Learnalot earned 664 total points
ID: 40452436
There is an official Microsoft article on this. Here you go :)

https://support.microsoft.com/kb/187498
0
 
LVL 4

Accepted Solution

by:
FrankCrast earned 668 total points
ID: 40456998
Hello, I just posted something to similar question posted previously. Feel free to use links below in addition to link above. Also KB article below (245030) has some good support on how to change your cipher order to remove older ciphers and also add more secure ones in priority order. You may also consider adding ECDHE ciphers for Perfect Forward Secrecy (if your systems support it) on the very top, followed by RC4, AES, etc. Google has a good write-up on this as well. Make sure to remove older (weak) ciphers you seem to have listed like RC2, MD5, DES.

First, make sure to disable SSL v3 in addition to v2 protocols. Check out articles below that can help with steps needed to enable TLS 1.0, 1.1, and 1.2 as well.

Mitigating SSL v3: https://technet.microsoft.com/en-us/library/security/3009008.aspx

Details for adding support for TLS 1.0/1.1/1.2 and cipher ordering: How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll: http://support.microsoft.com/kb/245030 

Poodle attack (due to SSL vulnerability): http://www.scmagazine.com/mitm-attacks-can-force-a-downgrade-to-ssl-30/article/377513/

Hope this helps.
0
 
LVL 15

Assisted Solution

by:Giovanni Heward
Giovanni Heward earned 668 total points
ID: 40505761
Download the latest version of IIS Crypto to make the necessary changes easier.

IIS Crypto
0

Featured Post

WatchGuard Case Study: Museum of Flight

“With limited money and limited staffing, we didn’t have a lot of choices in terms of what we could do to bring efficiency. WatchGuard played a central part in changing that.” To provide strong, secure Wi-Fi access within the museum, Hunter chose to deploy WatchGuard’s AP120 APs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, we’ll look at how to deploy ProxySQL.
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses

926 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question