Applying Group Policy to mitigate SChannel Vulnerability companywide ?

People,

Just recently Microsoft released some Vulnerabilites advisories https://technet.microsoft.com/en-us/library/security/3046015.aspx regarding

Vulnerability in Schannel Could Allow Security Feature Bypass
Published: March 5, 2015 | Updated: March 5, 2015

Disable RSA key exchange ciphers using the Group Policy Object Editor (Windows Vista and later systems only)
You can disable the RSA key exchange ciphers in Windows Vista and later systems by modifying the SSL Cipher Suite order in the Group Policy Object Editor.
To disable the RSA key exchange ciphers you have to specify the ciphers that Windows should use by performing the following steps:
At a command prompt, type gpedit.msc and press Enter to start the Group Policy Object Editor.
Expand Computer Configuration, Administrative Templates, Network, and then click SSL Configuration Settings.
Under SSL Configuration Settings, click the SSL Cipher Suite Order setting.
In the SSL Cipher Suite Order pane, scroll to the bottom of the pane.
Follow the instructions labeled How to modify this setting, and enter the following cipher list:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
Click OK
Close the Group Policy Object Editor and then restart your computer.

Because it affects pretty much almost all WIndows version, I wonder if applying the following suggested group policy on the default domain policy can bring my environment more secure or causing more problem in terms of Exchange Server, SQL Server, Share Point, etc ?

How do you apply the Group policy above with minimal disruptions to the Microsoft Enterprise business applications ?
LVL 9
Senior IT System EngineerIT ProfessionalAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
As from advisory, for Windows servers, with the exception of Windows Server 2003, are not impacted in the default configuration (export ciphers disabled). Windows Server 2003 does not allow for the enabling or disabling of individual ciphers. Remaining is the Win client that are affected too using IE. In fact, I tend to be on conservative and test it out first esp on Win Server and Client rather a blanket rollout to all server via GPO,  note that it can break SSL based application as the crypto with such higher preference may not be supported by Win client or Appl server may not support it. I got for individual server first and make sure it is fine with various client before rollout wide, and then go to client as well.
- Think about your troubleshooting needs.
- Create a baseline GPO and deploy it to a test group, or multiple test groups.
- Roll out the change slowly, and in stages.
- Make sure you have something in place to handle future changes.

You can check out IISCrypto
What Does IIS Crypto Do?

IIS Crypto updates the registry following this article from Microsoft. We have tested IIS Crypto on Windows Server 2003, 2008, 2008 R2 and 2012 and 2012 R2.
Note - Windows Server 2003 does not support the reordering of SSL cipher suites offered by IIS. However, you can still disable weak protocols and ciphers. Also, Windows Server 2003 does not come with the AES cipher suite. Microsoft has a hotfix for this.
https://www.nartac.com/Products/IISCrypto/
What is the FREAK attack and does IIS Crypto stop it?

The FREAK attack is a new vulnerability that allows HTTPS traffic to be intercepted. It does this but trying to force the server to use old cipher suites that have long been insecure. If you are running Windows 2008 and above you will not be vulnerable in the default OS configuration. However, Windows 2003 is vulnerable in the default configuration. The Best Practices template in IIS Crypto solves this by removing the affected cipher suites. You do not need to download a new version as these ciphers have been disabled by IIS Crypto since the first version.
https://www.nartac.com/Products/IISCrypto/FAQ.aspx
0
Senior IT System EngineerIT ProfessionalAuthor Commented:
Ah cool,

in my company I got mostly 2008 R2  and above up to 2012 R2.
so only very few of Windows Server 2003 affected by this bug and the workstation ?
0
btanExec ConsultantCommented:
As long as the Schannel does not disable support for TLS export cipher suites, or minimally has workaround while waiting for patch using the crypto reordering, the Win machine is considered affected. For now, affected versions of Windows include Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows 8 and 8.1, Windows Server 2012, and Windows RT. Also those known to be safe are Chrome for Windows and all versions of Firefox.

Good to check out the www.freakattack.com which has good info as well. There is also online tools like the SSL FREAK Check or Qualys SSL Labs’ SSL Server Test, which can also identify other security problems.

But as a whole, disable support for TLS export cipher suites ..
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Senior IT System EngineerIT ProfessionalAuthor Commented:
OK so in conclusion Windows server 2012R2 is not affected ?

Have you applied the recommended GPO to the client OS on your company or client yet ?
0
btanExec ConsultantCommented:
Yes stated by Microsoft as it is disabled. But good to verify as that is in default config state .. In Windows, the names of export ciphers contain the string “EXPORT”. E.g. bwlo and online tool to ascertain  - https://tools.keycdn.com/freak
SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA
SSL_RSA_EXPORT1024_WITH_RC4_56_SHA
SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
SSL_RSA_EXPORT_WITH_RC4_40_MD5
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
TLS_RSA_EXPORT_WITH_RC4_40_MD5
NULL

Yet to do as managed by central but I do advise test in staging which all enterprise should be having esp against their web app, there is case where it break even browsing to internet sites when IE is used.
Found a fix: Once we configure group policy to enabled and rebooted, I'd suggest to re-configure the same group policy to "not-configured" and do another reboot. Now, it should be fine with IE. You can run the test again with these links[Test both the links]:
https://cve.freakattack.com/
https://cve2.freakattack.com/

If both the links doesn't load in IE, then the fix is successful.
http://www.ghacks.net/2015/03/06/check-if-windows-is-affected-by-the-freak-attack-vulnerability/#comment-3229937

For info, there is a .reg on this shared (in case there is no gpedit for standalone machine)
I have made a reg Key (freak.zip) on my site.
http://www.deskmodder.de/blog/2015/03/06/freak-sicherheitsluecke-ueberpruefen-und-einstellungen-die-microsoft-empfiehlt/
http://www.ghacks.net/2015/03/06/check-if-windows-is-affected-by-the-freak-attack-vulnerability/#comment-3229615
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Senior IT System EngineerIT ProfessionalAuthor Commented:
Cool, many thanks man for the quick explanation.

I'll try that tomorrow in each server type and from the workstation randomly.
0
Senior IT System EngineerIT ProfessionalAuthor Commented:
Thanks !
0
btanExec ConsultantCommented:
Thanks - do also note recent MS release patch
https://technet.microsoft.com/library/security/MS15-031
0
Senior IT System EngineerIT ProfessionalAuthor Commented:
cool, many thanks once again !
0
koit_tech1Commented:
IIS Crypto worked the FREAK vulnerability, thanks 'btan'.
0
btanExec ConsultantCommented:
glad to have helped all
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.