?
Solved

Compliance check help

Posted on 2016-11-01
9
Medium Priority
?
81 Views
Last Modified: 2016-12-19
We had to run a compliance check for the computer system and it failed. The following are notes given to rectify the faults.

I am unsure what they are and what to do, any help will be much appreciated.

1.Disable SSLv3 support to avoid this vulnerability.
Examples to disable SSLv3.
nginx: list specific allowed protocols in the "ssl_protocols" line. Make sure SSLv2 and SSLv3 is not listed. For example: ssl_protocols TLSv2 TLSv1.1 TLSv1.2;
Apache: Add -SSLv3 to the "SSLProtocol" line.

2.An SSL Certificate associates an entity (person, organization, host, etc.) with a Public Key. In an SSL connection, the client authenticates the remote server using the server's Certificate and extracts the Public Key in the Certificate to establish the secure connection.
The client can trust that the Server Certificate belongs the server only if it is signed by a mutually trusted third-party Certificate Authority (CA). Self-signed certificates are created generally for testing purposes or to avoid paying third-party CAs. These should not be used on any production or critical servers.

3. Customers are advised to install OpenSSL versions 0.9.8za, 1.0.0m, 1.0.1h or later to remediate this vulnerability.
For embedded systems, please contact the embedded system vendor for updates.

4.RDP needs to be configured to use strong encryption methods or use SSL as the privacy and integrity provider.

Thanks In advance.
0
Comment
Question by:Keith Owen
  • 4
  • 3
  • 2
9 Comments
 
LVL 84

Expert Comment

by:David Johnson, CD, MVP
ID: 41868656
Is the OS a linux variant or a Windows machine?
0
 

Author Comment

by:Keith Owen
ID: 41868742
Windows server 2012 R2
0
 
LVL 84

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 600 total points (awarded by participants)
ID: 41868767
Use IIS Crypto to set your cipher suites
https://www.nartac.com/Products/IISCrypto

Here is a good list of suggested suites and their order
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_CK_DES_192_EDE3_CBC_WITH_MD5

Open in new window

https://www.grc.com/miscfiles/SChannel_Cipher_Suites.txt
I might skip the last one and only use TLS

That and you need a public ssl certificate and not use the self signed one
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
LVL 65

Accepted Solution

by:
btan earned 1400 total points (awarded by participants)
ID: 41869573
For (1), you can disable at IE and at registry level at the Server 2012
See MS advisory on steps https://technet.microsoft.com/en-us/library/security/3009008.aspx

For (2), ensure the SSL certificate root certificate (the issuer of the cert) is also stored in "Trusted Root CA" cert store. You can manually install the root certificate of a private CA into the Trusted Root Certification Authorities certificate store on a computer by using the CertMgr tool. See MS article for the step @ https://technet.microsoft.com/en-us/library/cc754841(v=ws.11).aspx

For (3), it seems that you have Openssl installed or it comes with one of the webserver. The older version is flawed as using weak cipher and have vulnerable codes that need to be patched. You can have the latest package installed. See steps @ https://www.tbs-certificates.co.uk/FAQ/en/openssl-windows.html

For (4), pls see
By default, Remote Desktop Services connections are encrypted at the highest level of security available. However, some older versions of the Remote Desktop Connection client do not support this high level of encryption. If your network contains such legacy clients, you can set the encryption level of the connection to send and receive data at the highest encryption level supported by the client.
https://technet.microsoft.com/en-us/library/cc770833(v=ws.11).aspx
Suggest you set for "SSL (TLS 1.0)" and "Encryption level" to High. This level encrypts data sent from the client to the server and from the server to the client by using 128-bit encryption. However, clients that do not support this level of encryption will not be able to connect. Do test out otherwise for legacy client environment, you may consider "Client Compatible" but this can be lower in encryption and still flagged the issue
0
 

Author Comment

by:Keith Owen
ID: 41873589
Thanks for the comments, I will have a proper read through over the weekend.
0
 
LVL 65

Expert Comment

by:btan
ID: 41898866
As per advised for consideration.
0
 

Author Comment

by:Keith Owen
ID: 41930548
Ok I have a update for this.....any replies please make is simple as I am not very good in this area :)

Do I close port 50001 ?
unnamed.jpg
0
 
LVL 65

Expert Comment

by:btan
ID: 41930686
If you need ssl, you will need the port. It looks like it is more of your server that have yet to be harden to upgrade openssl to latest.

Suggest you open up another new question for follow up queries. Thanks.
0
 

Author Comment

by:Keith Owen
ID: 41930695
Ok thanks
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The well known Cerber ransomware continues to spread this summer through spear phishing email campaigns targeting enterprises. Learn how it easily bypasses traditional defenses - and what you can do to protect your data.
This article covers the basics of data encryption, what it is, how it works, and why it's important. If you've ever wondered what goes on when you "encrypt" data, you can look here to build a good foundation for your personal learning.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question