Solved

Compliance check help

Posted on 2016-11-01
9
37 Views
Last Modified: 2016-12-19
We had to run a compliance check for the computer system and it failed. The following are notes given to rectify the faults.

I am unsure what they are and what to do, any help will be much appreciated.

1.Disable SSLv3 support to avoid this vulnerability.
Examples to disable SSLv3.
nginx: list specific allowed protocols in the "ssl_protocols" line. Make sure SSLv2 and SSLv3 is not listed. For example: ssl_protocols TLSv2 TLSv1.1 TLSv1.2;
Apache: Add -SSLv3 to the "SSLProtocol" line.

2.An SSL Certificate associates an entity (person, organization, host, etc.) with a Public Key. In an SSL connection, the client authenticates the remote server using the server's Certificate and extracts the Public Key in the Certificate to establish the secure connection.
The client can trust that the Server Certificate belongs the server only if it is signed by a mutually trusted third-party Certificate Authority (CA). Self-signed certificates are created generally for testing purposes or to avoid paying third-party CAs. These should not be used on any production or critical servers.

3. Customers are advised to install OpenSSL versions 0.9.8za, 1.0.0m, 1.0.1h or later to remediate this vulnerability.
For embedded systems, please contact the embedded system vendor for updates.

4.RDP needs to be configured to use strong encryption methods or use SSL as the privacy and integrity provider.

Thanks In advance.
0
Comment
Question by:Keith Owen
  • 4
  • 3
  • 2
9 Comments
 
LVL 80

Expert Comment

by:David Johnson, CD, MVP
ID: 41868656
Is the OS a linux variant or a Windows machine?
0
 

Author Comment

by:Keith Owen
ID: 41868742
Windows server 2012 R2
0
 
LVL 80

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 150 total points (awarded by participants)
ID: 41868767
Use IIS Crypto to set your cipher suites
https://www.nartac.com/Products/IISCrypto

Here is a good list of suggested suites and their order
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_CK_DES_192_EDE3_CBC_WITH_MD5

Open in new window

https://www.grc.com/miscfiles/SChannel_Cipher_Suites.txt
I might skip the last one and only use TLS

That and you need a public ssl certificate and not use the self signed one
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 63

Accepted Solution

by:
btan earned 350 total points (awarded by participants)
ID: 41869573
For (1), you can disable at IE and at registry level at the Server 2012
See MS advisory on steps https://technet.microsoft.com/en-us/library/security/3009008.aspx

For (2), ensure the SSL certificate root certificate (the issuer of the cert) is also stored in "Trusted Root CA" cert store. You can manually install the root certificate of a private CA into the Trusted Root Certification Authorities certificate store on a computer by using the CertMgr tool. See MS article for the step @ https://technet.microsoft.com/en-us/library/cc754841(v=ws.11).aspx

For (3), it seems that you have Openssl installed or it comes with one of the webserver. The older version is flawed as using weak cipher and have vulnerable codes that need to be patched. You can have the latest package installed. See steps @ https://www.tbs-certificates.co.uk/FAQ/en/openssl-windows.html

For (4), pls see
By default, Remote Desktop Services connections are encrypted at the highest level of security available. However, some older versions of the Remote Desktop Connection client do not support this high level of encryption. If your network contains such legacy clients, you can set the encryption level of the connection to send and receive data at the highest encryption level supported by the client.
https://technet.microsoft.com/en-us/library/cc770833(v=ws.11).aspx
Suggest you set for "SSL (TLS 1.0)" and "Encryption level" to High. This level encrypts data sent from the client to the server and from the server to the client by using 128-bit encryption. However, clients that do not support this level of encryption will not be able to connect. Do test out otherwise for legacy client environment, you may consider "Client Compatible" but this can be lower in encryption and still flagged the issue
0
 

Author Comment

by:Keith Owen
ID: 41873589
Thanks for the comments, I will have a proper read through over the weekend.
0
 
LVL 63

Expert Comment

by:btan
ID: 41898866
As per advised for consideration.
0
 

Author Comment

by:Keith Owen
ID: 41930548
Ok I have a update for this.....any replies please make is simple as I am not very good in this area :)

Do I close port 50001 ?
unnamed.jpg
0
 
LVL 63

Expert Comment

by:btan
ID: 41930686
If you need ssl, you will need the port. It looks like it is more of your server that have yet to be harden to upgrade openssl to latest.

Suggest you open up another new question for follow up queries. Thanks.
0
 

Author Comment

by:Keith Owen
ID: 41930695
Ok thanks
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

At the beginning of the year, the IT world was taken hostage by the shareholders of LogMeIn. Their free product, which had been free for ten years, all of the sudden became a "pay" product. Now, I am the first person who will say that software maker…
Let’s list some of the technologies that enable smooth teleworking. 
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

791 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question