Solved

Disable weak encryption on web server IIS

Posted on 2014-11-19
3
381 Views
Last Modified: 2015-03-05
Hello Team,

I have a web server that has been reported to have weak TLSv1 ciphers:
o      EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export
o      EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
o      EXP1024-DES-CBC-SHA Kx=RSA(1024) Au=RSA Enc=DES-CBC(56) Mac=SHA1 export
o      EXP1024-RC4-SHA Kx=RSA(1024) Au=RSA Enc=RC4(56) Mac=SHA1 export

How can I disable this type of encryption?

Thank you.
0
Comment
Question by:exTechnology
3 Comments
 
LVL 6

Assisted Solution

by:Sir Learnalot
Sir Learnalot earned 166 total points
ID: 40452436
There is an official Microsoft article on this. Here you go :)

https://support.microsoft.com/kb/187498
0
 
LVL 4

Accepted Solution

by:
FrankCrast earned 167 total points
ID: 40456998
Hello, I just posted something to similar question posted previously. Feel free to use links below in addition to link above. Also KB article below (245030) has some good support on how to change your cipher order to remove older ciphers and also add more secure ones in priority order. You may also consider adding ECDHE ciphers for Perfect Forward Secrecy (if your systems support it) on the very top, followed by RC4, AES, etc. Google has a good write-up on this as well. Make sure to remove older (weak) ciphers you seem to have listed like RC2, MD5, DES.

First, make sure to disable SSL v3 in addition to v2 protocols. Check out articles below that can help with steps needed to enable TLS 1.0, 1.1, and 1.2 as well.

Mitigating SSL v3: https://technet.microsoft.com/en-us/library/security/3009008.aspx

Details for adding support for TLS 1.0/1.1/1.2 and cipher ordering: How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll: http://support.microsoft.com/kb/245030 

Poodle attack (due to SSL vulnerability): http://www.scmagazine.com/mitm-attacks-can-force-a-downgrade-to-ssl-30/article/377513/

Hope this helps.
0
 
LVL 14

Assisted Solution

by:Giovanni Heward
Giovanni Heward earned 167 total points
ID: 40505761
Download the latest version of IIS Crypto to make the necessary changes easier.

IIS Crypto
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
There are many Password Managers (PM) out there to choose from. PM's can help with your password habits and routines, but they should not be a crutch you rely on too heavily. I also have an article for company/enterprise PM's.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
A simple description of email encryption using a secure portal service. This is one of the choices offered by The Email Laundry for email encryption. The other choices are pdf encryption which creates an encrypted pdf of your email and any attachmen…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now