Link to home
Create AccountLog in
Avatar of Albert Widjaja
Albert WidjajaFlag for Australia

asked on

Applying Group Policy to mitigate SChannel Vulnerability companywide ?

People,

Just recently Microsoft released some Vulnerabilites advisories https://technet.microsoft.com/en-us/library/security/3046015.aspx regarding

Vulnerability in Schannel Could Allow Security Feature Bypass
Published: March 5, 2015 | Updated: March 5, 2015

Disable RSA key exchange ciphers using the Group Policy Object Editor (Windows Vista and later systems only)
You can disable the RSA key exchange ciphers in Windows Vista and later systems by modifying the SSL Cipher Suite order in the Group Policy Object Editor.
To disable the RSA key exchange ciphers you have to specify the ciphers that Windows should use by performing the following steps:
At a command prompt, type gpedit.msc and press Enter to start the Group Policy Object Editor.
Expand Computer Configuration, Administrative Templates, Network, and then click SSL Configuration Settings.
Under SSL Configuration Settings, click the SSL Cipher Suite Order setting.
In the SSL Cipher Suite Order pane, scroll to the bottom of the pane.
Follow the instructions labeled How to modify this setting, and enter the following cipher list:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
Click OK
Close the Group Policy Object Editor and then restart your computer.

Because it affects pretty much almost all WIndows version, I wonder if applying the following suggested group policy on the default domain policy can bring my environment more secure or causing more problem in terms of Exchange Server, SQL Server, Share Point, etc ?

How do you apply the Group policy above with minimal disruptions to the Microsoft Enterprise business applications ?
SOLUTION
Avatar of btan
btan

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of Albert Widjaja

ASKER

Ah cool,

in my company I got mostly 2008 R2  and above up to 2012 R2.
so only very few of Windows Server 2003 affected by this bug and the workstation ?
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
OK so in conclusion Windows server 2012R2 is not affected ?

Have you applied the recommended GPO to the client OS on your company or client yet ?
ASKER CERTIFIED SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Cool, many thanks man for the quick explanation.

I'll try that tomorrow in each server type and from the workstation randomly.
Thanks !
Avatar of btan
btan

Thanks - do also note recent MS release patch
https://technet.microsoft.com/library/security/MS15-031
cool, many thanks once again !
IIS Crypto worked the FREAK vulnerability, thanks 'btan'.
glad to have helped all