SSL Server test

HI All,
I am using Windows server 2012 R2 standard and hosted for the Gateway server. I ran IIS crypto as well , but still overall rating as " B " only.

This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)   DH 1024 bits   FS   WEAK
256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   DH 1024 bits   FS   WEAK
128


Can any one help on this.
Kishore MAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Patrick BogersDatacenter platform engineer LindowsCommented:
Hi

can you printscreen the iiscrypto settings?

Cheers
0
Kishore MAuthor Commented:
Hi , attached the Cipher suites & SChannel settings from IIS crypto.
Cipher-settings1.JPG
Cipher-settings2.JPG
SChannel-settings.JPG
1
Patrick BogersDatacenter platform engineer LindowsCommented:
Hi

I would disable tls-dhe ciphers and in schannel unselect tls1 and 1.1, sha and diffie helman.
That should bring a A rating.

Cheers
0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

FREE DOWNLOAD
Kishore MAuthor Commented:
Hi , I have tried the same steps unselect all tls-dhe ciphers in Cipher suites and in schannel unselect tls1 and 1.1, sha and diffie helman.

Still no luck , I am getting B grade only.
 
I am using Windows 2012 R2 standard Operating system.

Signature algorithm is SHA256withRSA


TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)   DH 1024 bits   FS   WEAK
256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   DH 1024 bits   FS   WEAK
128
0
Patrick BogersDatacenter platform engineer LindowsCommented:
After the changes, did you reboot the server?
0
Kishore MAuthor Commented:
Rebooted the server as well..
0
btanExec ConsultantCommented:
Do check out this site ("Guide to Deploying Diffie-Hellman for TLS") for admin as it is pertaining to past weak cipher for DH discovered. https://weakdh.org/sysadmin.html

Disable Diffie-Hellman under Key Exchanges Enabled
1. Use IISCrypto to apply the “Best Practices” Template 2. Disable TLS 1.0 (Assuming SQL is not on the server or these updates have been applied and RDS/RDWeb is not deployed)
3. Disable MD5 under Hashes enabled
4. Disable Diffie-Hellman under Key Exchanges Enabled
5. Apply and reboot
http://robwillis.info/2015/10/hardening-ssl-tls-connections-on-windows-server-2008-r2-2012-r2/
0
Kishore MAuthor Commented:
Hi, you have given a best solution , but not sure IIS Crypto settings are not making any changes.so still getting B grade only.
0
btanExec ConsultantCommented:
It may be some apps but if after rebooting the machine and the DH 1024 or TLS 1.0/1 still exist from reading from iiscrypto then A may not be achievable. Maybe useful if you can share the finding so that we understand the B is due to what reason based on the online findings it stated
0
btanExec ConsultantCommented:
Pls kind advice any further queries. thanks
0
Kishore MAuthor Commented:
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)   DH 1024 bits   FS   WEAK  256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   DH 1024 bits   FS   WEAK  128

Facing issue with these two above keys.. Can you please help me out.
1
btanExec ConsultantCommented:
if you can't use 2048-bit (or larger) DH parameters (and generate new parameters on a regular basis), you should probably disable DHE.

the grade should be capped to B unless they support ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 and prioritize it over any CBC suites or only support suites that use ECDHE_ECDSA with an AEAD cipher.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Kishore MAuthor Commented:
Hi All,

Thanks for the support,  below suggestion is helped to resolve the issue.

Disconnect nic cable, reboot, login as local administrator CHECK RSOP and run iiscrypto.
0
btanExec ConsultantCommented:
Thanks for sharing and you may proceed to close the question if there are no further queries
0
btanExec ConsultantCommented:
As per advice given
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.