Solved

Disable weak encryption on web server IIS

Posted on 2014-11-19
3
446 Views
Last Modified: 2015-03-05
Hello Team,

I have a web server that has been reported to have weak TLSv1 ciphers:
o      EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2-CBC(40) Mac=MD5 export
o      EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
o      EXP1024-DES-CBC-SHA Kx=RSA(1024) Au=RSA Enc=DES-CBC(56) Mac=SHA1 export
o      EXP1024-RC4-SHA Kx=RSA(1024) Au=RSA Enc=RC4(56) Mac=SHA1 export

How can I disable this type of encryption?

Thank you.
0
Comment
Question by:exTechnology
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 6

Assisted Solution

by:Sir Learnalot
Sir Learnalot earned 166 total points
ID: 40452436
There is an official Microsoft article on this. Here you go :)

https://support.microsoft.com/kb/187498
0
 
LVL 4

Accepted Solution

by:
FrankCrast earned 167 total points
ID: 40456998
Hello, I just posted something to similar question posted previously. Feel free to use links below in addition to link above. Also KB article below (245030) has some good support on how to change your cipher order to remove older ciphers and also add more secure ones in priority order. You may also consider adding ECDHE ciphers for Perfect Forward Secrecy (if your systems support it) on the very top, followed by RC4, AES, etc. Google has a good write-up on this as well. Make sure to remove older (weak) ciphers you seem to have listed like RC2, MD5, DES.

First, make sure to disable SSL v3 in addition to v2 protocols. Check out articles below that can help with steps needed to enable TLS 1.0, 1.1, and 1.2 as well.

Mitigating SSL v3: https://technet.microsoft.com/en-us/library/security/3009008.aspx

Details for adding support for TLS 1.0/1.1/1.2 and cipher ordering: How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll: http://support.microsoft.com/kb/245030 

Poodle attack (due to SSL vulnerability): http://www.scmagazine.com/mitm-attacks-can-force-a-downgrade-to-ssl-30/article/377513/

Hope this helps.
0
 
LVL 15

Assisted Solution

by:Giovanni Heward
Giovanni Heward earned 167 total points
ID: 40505761
Download the latest version of IIS Crypto to make the necessary changes easier.

IIS Crypto
0

Featured Post

Webinar May 25: Cloud Security Strategies for SMBs

Small and mid-sized businesses are a driving force behind cloud adoption, and it’s no wonder: cloud benefits are BIG.  But for all the convenience that moving to the cloud provides, where does security come into play?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question