Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Compliance check help

Posted on 2016-11-01
9
Medium Priority
?
65 Views
Last Modified: 2016-12-19
We had to run a compliance check for the computer system and it failed. The following are notes given to rectify the faults.

I am unsure what they are and what to do, any help will be much appreciated.

1.Disable SSLv3 support to avoid this vulnerability.
Examples to disable SSLv3.
nginx: list specific allowed protocols in the "ssl_protocols" line. Make sure SSLv2 and SSLv3 is not listed. For example: ssl_protocols TLSv2 TLSv1.1 TLSv1.2;
Apache: Add -SSLv3 to the "SSLProtocol" line.

2.An SSL Certificate associates an entity (person, organization, host, etc.) with a Public Key. In an SSL connection, the client authenticates the remote server using the server's Certificate and extracts the Public Key in the Certificate to establish the secure connection.
The client can trust that the Server Certificate belongs the server only if it is signed by a mutually trusted third-party Certificate Authority (CA). Self-signed certificates are created generally for testing purposes or to avoid paying third-party CAs. These should not be used on any production or critical servers.

3. Customers are advised to install OpenSSL versions 0.9.8za, 1.0.0m, 1.0.1h or later to remediate this vulnerability.
For embedded systems, please contact the embedded system vendor for updates.

4.RDP needs to be configured to use strong encryption methods or use SSL as the privacy and integrity provider.

Thanks In advance.
0
Comment
Question by:Keith Owen
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
9 Comments
 
LVL 83

Expert Comment

by:David Johnson, CD, MVP
ID: 41868656
Is the OS a linux variant or a Windows machine?
0
 

Author Comment

by:Keith Owen
ID: 41868742
Windows server 2012 R2
0
 
LVL 83

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 600 total points (awarded by participants)
ID: 41868767
Use IIS Crypto to set your cipher suites
https://www.nartac.com/Products/IISCrypto

Here is a good list of suggested suites and their order
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_CK_DES_192_EDE3_CBC_WITH_MD5

Open in new window

https://www.grc.com/miscfiles/SChannel_Cipher_Suites.txt
I might skip the last one and only use TLS

That and you need a public ssl certificate and not use the self signed one
0
Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

 
LVL 65

Accepted Solution

by:
btan earned 1400 total points (awarded by participants)
ID: 41869573
For (1), you can disable at IE and at registry level at the Server 2012
See MS advisory on steps https://technet.microsoft.com/en-us/library/security/3009008.aspx

For (2), ensure the SSL certificate root certificate (the issuer of the cert) is also stored in "Trusted Root CA" cert store. You can manually install the root certificate of a private CA into the Trusted Root Certification Authorities certificate store on a computer by using the CertMgr tool. See MS article for the step @ https://technet.microsoft.com/en-us/library/cc754841(v=ws.11).aspx

For (3), it seems that you have Openssl installed or it comes with one of the webserver. The older version is flawed as using weak cipher and have vulnerable codes that need to be patched. You can have the latest package installed. See steps @ https://www.tbs-certificates.co.uk/FAQ/en/openssl-windows.html

For (4), pls see
By default, Remote Desktop Services connections are encrypted at the highest level of security available. However, some older versions of the Remote Desktop Connection client do not support this high level of encryption. If your network contains such legacy clients, you can set the encryption level of the connection to send and receive data at the highest encryption level supported by the client.
https://technet.microsoft.com/en-us/library/cc770833(v=ws.11).aspx
Suggest you set for "SSL (TLS 1.0)" and "Encryption level" to High. This level encrypts data sent from the client to the server and from the server to the client by using 128-bit encryption. However, clients that do not support this level of encryption will not be able to connect. Do test out otherwise for legacy client environment, you may consider "Client Compatible" but this can be lower in encryption and still flagged the issue
0
 

Author Comment

by:Keith Owen
ID: 41873589
Thanks for the comments, I will have a proper read through over the weekend.
0
 
LVL 65

Expert Comment

by:btan
ID: 41898866
As per advised for consideration.
0
 

Author Comment

by:Keith Owen
ID: 41930548
Ok I have a update for this.....any replies please make is simple as I am not very good in this area :)

Do I close port 50001 ?
unnamed.jpg
0
 
LVL 65

Expert Comment

by:btan
ID: 41930686
If you need ssl, you will need the port. It looks like it is more of your server that have yet to be harden to upgrade openssl to latest.

Suggest you open up another new question for follow up queries. Thanks.
0
 

Author Comment

by:Keith Owen
ID: 41930695
Ok thanks
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question