Solved

Compliance check help

Posted on 2016-11-01
9
33 Views
Last Modified: 2016-12-19
We had to run a compliance check for the computer system and it failed. The following are notes given to rectify the faults.

I am unsure what they are and what to do, any help will be much appreciated.

1.Disable SSLv3 support to avoid this vulnerability.
Examples to disable SSLv3.
nginx: list specific allowed protocols in the "ssl_protocols" line. Make sure SSLv2 and SSLv3 is not listed. For example: ssl_protocols TLSv2 TLSv1.1 TLSv1.2;
Apache: Add -SSLv3 to the "SSLProtocol" line.

2.An SSL Certificate associates an entity (person, organization, host, etc.) with a Public Key. In an SSL connection, the client authenticates the remote server using the server's Certificate and extracts the Public Key in the Certificate to establish the secure connection.
The client can trust that the Server Certificate belongs the server only if it is signed by a mutually trusted third-party Certificate Authority (CA). Self-signed certificates are created generally for testing purposes or to avoid paying third-party CAs. These should not be used on any production or critical servers.

3. Customers are advised to install OpenSSL versions 0.9.8za, 1.0.0m, 1.0.1h or later to remediate this vulnerability.
For embedded systems, please contact the embedded system vendor for updates.

4.RDP needs to be configured to use strong encryption methods or use SSL as the privacy and integrity provider.

Thanks In advance.
0
Comment
Question by:Keith Owen
  • 4
  • 3
  • 2
9 Comments
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 41868656
Is the OS a linux variant or a Windows machine?
0
 

Author Comment

by:Keith Owen
ID: 41868742
Windows server 2012 R2
0
 
LVL 78

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 150 total points (awarded by participants)
ID: 41868767
Use IIS Crypto to set your cipher suites
https://www.nartac.com/Products/IISCrypto

Here is a good list of suggested suites and their order
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_CK_DES_192_EDE3_CBC_WITH_MD5

Open in new window

https://www.grc.com/miscfiles/SChannel_Cipher_Suites.txt
I might skip the last one and only use TLS

That and you need a public ssl certificate and not use the self signed one
0
 
LVL 62

Accepted Solution

by:
btan earned 350 total points (awarded by participants)
ID: 41869573
For (1), you can disable at IE and at registry level at the Server 2012
See MS advisory on steps https://technet.microsoft.com/en-us/library/security/3009008.aspx

For (2), ensure the SSL certificate root certificate (the issuer of the cert) is also stored in "Trusted Root CA" cert store. You can manually install the root certificate of a private CA into the Trusted Root Certification Authorities certificate store on a computer by using the CertMgr tool. See MS article for the step @ https://technet.microsoft.com/en-us/library/cc754841(v=ws.11).aspx

For (3), it seems that you have Openssl installed or it comes with one of the webserver. The older version is flawed as using weak cipher and have vulnerable codes that need to be patched. You can have the latest package installed. See steps @ https://www.tbs-certificates.co.uk/FAQ/en/openssl-windows.html

For (4), pls see
By default, Remote Desktop Services connections are encrypted at the highest level of security available. However, some older versions of the Remote Desktop Connection client do not support this high level of encryption. If your network contains such legacy clients, you can set the encryption level of the connection to send and receive data at the highest encryption level supported by the client.
https://technet.microsoft.com/en-us/library/cc770833(v=ws.11).aspx
Suggest you set for "SSL (TLS 1.0)" and "Encryption level" to High. This level encrypts data sent from the client to the server and from the server to the client by using 128-bit encryption. However, clients that do not support this level of encryption will not be able to connect. Do test out otherwise for legacy client environment, you may consider "Client Compatible" but this can be lower in encryption and still flagged the issue
0
ScreenConnect 6.0 Free Trial

Explore all the enhancements in one game-changing release, ScreenConnect 6.0, based on partner feedback. New features include a redesigned UI, app configurations and chat acknowledgement to improve customer engagement!

 

Author Comment

by:Keith Owen
ID: 41873589
Thanks for the comments, I will have a proper read through over the weekend.
0
 
LVL 62

Expert Comment

by:btan
ID: 41898866
As per advised for consideration.
0
 

Author Comment

by:Keith Owen
ID: 41930548
Ok I have a update for this.....any replies please make is simple as I am not very good in this area :)

Do I close port 50001 ?
unnamed.jpg
0
 
LVL 62

Expert Comment

by:btan
ID: 41930686
If you need ssl, you will need the port. It looks like it is more of your server that have yet to be harden to upgrade openssl to latest.

Suggest you open up another new question for follow up queries. Thanks.
0
 

Author Comment

by:Keith Owen
ID: 41930695
Ok thanks
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
In 2017, ransomware will become so virulent and widespread that if you aren’t a victim yourself, you will know someone who is.
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now