• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 90
  • Last Modified:

Compliance check help

We had to run a compliance check for the computer system and it failed. The following are notes given to rectify the faults.

I am unsure what they are and what to do, any help will be much appreciated.

1.Disable SSLv3 support to avoid this vulnerability.
Examples to disable SSLv3.
nginx: list specific allowed protocols in the "ssl_protocols" line. Make sure SSLv2 and SSLv3 is not listed. For example: ssl_protocols TLSv2 TLSv1.1 TLSv1.2;
Apache: Add -SSLv3 to the "SSLProtocol" line.

2.An SSL Certificate associates an entity (person, organization, host, etc.) with a Public Key. In an SSL connection, the client authenticates the remote server using the server's Certificate and extracts the Public Key in the Certificate to establish the secure connection.
The client can trust that the Server Certificate belongs the server only if it is signed by a mutually trusted third-party Certificate Authority (CA). Self-signed certificates are created generally for testing purposes or to avoid paying third-party CAs. These should not be used on any production or critical servers.

3. Customers are advised to install OpenSSL versions 0.9.8za, 1.0.0m, 1.0.1h or later to remediate this vulnerability.
For embedded systems, please contact the embedded system vendor for updates.

4.RDP needs to be configured to use strong encryption methods or use SSL as the privacy and integrity provider.

Thanks In advance.
Keith Owen
Keith Owen
  • 4
  • 3
  • 2
2 Solutions
David Johnson, CD, MVPOwnerCommented:
Is the OS a linux variant or a Windows machine?
Keith OwenAuthor Commented:
Windows server 2012 R2
David Johnson, CD, MVPOwnerCommented:
Use IIS Crypto to set your cipher suites

Here is a good list of suggested suites and their order

Open in new window

I might skip the last one and only use TLS

That and you need a public ssl certificate and not use the self signed one
We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

btanExec ConsultantCommented:
For (1), you can disable at IE and at registry level at the Server 2012
See MS advisory on steps https://technet.microsoft.com/en-us/library/security/3009008.aspx

For (2), ensure the SSL certificate root certificate (the issuer of the cert) is also stored in "Trusted Root CA" cert store. You can manually install the root certificate of a private CA into the Trusted Root Certification Authorities certificate store on a computer by using the CertMgr tool. See MS article for the step @ https://technet.microsoft.com/en-us/library/cc754841(v=ws.11).aspx

For (3), it seems that you have Openssl installed or it comes with one of the webserver. The older version is flawed as using weak cipher and have vulnerable codes that need to be patched. You can have the latest package installed. See steps @ https://www.tbs-certificates.co.uk/FAQ/en/openssl-windows.html

For (4), pls see
By default, Remote Desktop Services connections are encrypted at the highest level of security available. However, some older versions of the Remote Desktop Connection client do not support this high level of encryption. If your network contains such legacy clients, you can set the encryption level of the connection to send and receive data at the highest encryption level supported by the client.
Suggest you set for "SSL (TLS 1.0)" and "Encryption level" to High. This level encrypts data sent from the client to the server and from the server to the client by using 128-bit encryption. However, clients that do not support this level of encryption will not be able to connect. Do test out otherwise for legacy client environment, you may consider "Client Compatible" but this can be lower in encryption and still flagged the issue
Keith OwenAuthor Commented:
Thanks for the comments, I will have a proper read through over the weekend.
btanExec ConsultantCommented:
As per advised for consideration.
Keith OwenAuthor Commented:
Ok I have a update for this.....any replies please make is simple as I am not very good in this area :)

Do I close port 50001 ?
btanExec ConsultantCommented:
If you need ssl, you will need the port. It looks like it is more of your server that have yet to be harden to upgrade openssl to latest.

Suggest you open up another new question for follow up queries. Thanks.
Keith OwenAuthor Commented:
Ok thanks
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 4
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now