asked on Applying Group Policy to mitigate SChannel Vulnerability companywide ?
People,
Just recently Microsoft released some Vulnerabilites advisories https://technet.microsoft.com/en-us/library/security/3046015.aspx regarding
Vulnerability in Schannel Could Allow Security Feature Bypass
Published: March 5, 2015 | Updated: March 5, 2015
Because it affects pretty much almost all WIndows version, I wonder if applying the following suggested group policy on the default domain policy can bring my environment more secure or causing more problem in terms of Exchange Server, SQL Server, Share Point, etc ?
How do you apply the Group policy above with minimal disruptions to the Microsoft Enterprise business applications ?
Just recently Microsoft released some Vulnerabilites advisories https://technet.microsoft.com/en-us/library/security/3046015.aspx regarding
Vulnerability in Schannel Could Allow Security Feature Bypass
Published: March 5, 2015 | Updated: March 5, 2015
Disable RSA key exchange ciphers using the Group Policy Object Editor (Windows Vista and later systems only)
You can disable the RSA key exchange ciphers in Windows Vista and later systems by modifying the SSL Cipher Suite order in the Group Policy Object Editor.
To disable the RSA key exchange ciphers you have to specify the ciphers that Windows should use by performing the following steps:
At a command prompt, type gpedit.msc and press Enter to start the Group Policy Object Editor.
Expand Computer Configuration, Administrative Templates, Network, and then click SSL Configuration Settings.
Under SSL Configuration Settings, click the SSL Cipher Suite Order setting.
In the SSL Cipher Suite Order pane, scroll to the bottom of the pane.
Follow the instructions labeled How to modify this setting, and enter the following cipher list:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA38 4_P256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA38 4_P384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA25 6_P256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA25 6_P384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P 256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P 384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P 256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P 384,
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA 384_P384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA 256_P256,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA 256_P384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 384_P384,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 256_P256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 256_P384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA _P256,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA _P384,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA _P256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA _P384,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
Click OK
Close the Group Policy Object Editor and then restart your computer.
Because it affects pretty much almost all WIndows version, I wonder if applying the following suggested group policy on the default domain policy can bring my environment more secure or causing more problem in terms of Exchange Server, SQL Server, Share Point, etc ?
How do you apply the Group policy above with minimal disruptions to the Microsoft Enterprise business applications ?
Active DirectoryMicrosoft 365 EnterpriseOS Security
Last Comment
btan
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
OK so in conclusion Windows server 2012R2 is not affected ?
Have you applied the recommended GPO to the client OS on your company or client yet ?
Have you applied the recommended GPO to the client OS on your company or client yet ?
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Cool, many thanks man for the quick explanation.
I'll try that tomorrow in each server type and from the workstation randomly.
I'll try that tomorrow in each server type and from the workstation randomly.
ASKER
Thanks !
Thanks - do also note recent MS release patch
https://technet.microsoft.com/library/security/MS15-031
https://technet.microsoft.com/library/security/MS15-031
ASKER
cool, many thanks once again !
IIS Crypto worked the FREAK vulnerability, thanks 'btan'.
glad to have helped all
in my company I got mostly 2008 R2 and above up to 2012 R2.
so only very few of Windows Server 2003 affected by this bug and the workstation ?