MJB2011
asked on
Making a hash of certificates.
Hi all,
Being doing some work around tightening security on internal and external communications with stronger certificates and removing weak ciphers. All though this fairly straight forward I had a problem yesterday that has raised questions mainly around my understanding.
We have a web server in the DMZ 2008 R2 IIS. It has an external signed certificate (SHA256). scanning the website shows a number of weaknesses around Ciphers that are part of TLS 1.0, 1.1 and 1,2.
We have to keep TLS 1.0 enabled because of application compatibility.
Is it possible to disable specific ciphers that are weak rather than disabling the tls protocol?
Being doing some work around tightening security on internal and external communications with stronger certificates and removing weak ciphers. All though this fairly straight forward I had a problem yesterday that has raised questions mainly around my understanding.
We have a web server in the DMZ 2008 R2 IIS. It has an external signed certificate (SHA256). scanning the website shows a number of weaknesses around Ciphers that are part of TLS 1.0, 1.1 and 1,2.
We have to keep TLS 1.0 enabled because of application compatibility.
Is it possible to disable specific ciphers that are weak rather than disabling the tls protocol?
ASKER
Thanks Dan I do have that tool but was thinking more GPO global settings. For testing this is perfect.
We cannot disable TLS 1.0, 1.1 so I have to remove the ciphers instead. Going from the report from SSL labs do you see any potential issues arising from:
-disabling Diffie-Helman
-removing weak ciphers
TLS_RSA_WITH_3DES_EDE_CBC_
TLS_RSA_WITH_RC4_128_SHA (0x5) INSECURE 128
TLS_RSA_WITH_RC4_128_MD5 (0x4) INSECURE 128
Ive noticed that when I untick using iiscrypto it tells me i need to reboot, but I can see after a rescan which makes life alot easier for testing.
We cannot disable TLS 1.0, 1.1 so I have to remove the ciphers instead. Going from the report from SSL labs do you see any potential issues arising from:
-disabling Diffie-Helman
-removing weak ciphers
TLS_RSA_WITH_3DES_EDE_CBC_
TLS_RSA_WITH_RC4_128_SHA (0x5) INSECURE 128
TLS_RSA_WITH_RC4_128_MD5 (0x4) INSECURE 128
Ive noticed that when I untick using iiscrypto it tells me i need to reboot, but I can see after a rescan which makes life alot easier for testing.
ASKER
Also, is there anyway of checking your schannel connection when connected to a website?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Using IE when I click on the details it just tell me the type of certificate algorithm not the Cipher suits used to handshake
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Dan, Firefox alot better.
So it reports im using TLS_ECDHE_RSA_WITH_AES_256
SO does that mean that the various TLS protocols can use the same cipher suites?
For example if I disabled 1.0 could it use the same suite but just with TLS 2.0? if so why does the difference?
So it reports im using TLS_ECDHE_RSA_WITH_AES_256
SO does that mean that the various TLS protocols can use the same cipher suites?
For example if I disabled 1.0 could it use the same suite but just with TLS 2.0? if so why does the difference?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Thanks Dan. Just to share one caveat which you can find in the faq in IISCrypto support page
So if you disable TLS1.0, it does not means that all the cipher used in that string will be disabled. TLS 1.1, 1.2 and above may have the same cipher but of different key length. You can still disable the specific cipher individually using the IISCrypto. So if you disable TLS 1.0 and are on Win2008 R2, you can check out the remaining TLS1.1 and above - https://msdn.microsoft.com/en-us/library/windows/desktop/mt767780(v=vs.85).aspx, - Windows 2008 does not support TLS 1.1 and 1.2 and above https://msdn.microsoft.com/en-us/library/windows/desktop/ff468651(v=vs.85).aspx
Will Remote Desktop (RDP) continue to work after using IIS Crypto?To read TLS_ECDHE_RSA_WITH_AES_256
Yes. The default security layer in RDP is set to Negotiate which supports both SSL (TLS 1.0) and the RDP Security Layer. However, if you set the security layer to SSL (TLS 1.0) and disable TLS 1.0 in IIS Crypto you may be unable to connect to RDP if you are using Windows Server 2008 R2. To check your settings, open Remote Desktop Session Host Configuration in Administrative Tools and double click RDP-Tcp under the Connections group. If it is set to SSL (TLS 1.0) and you are running Windows Server 2008 R2 make sure that you have installed TLS 1.1 and 1.2 support.
Network Level Authentication only supports the SSL (TLS 1.0 and above) security layer.
- TLS simply indicates the protocol;
- ECDHE signifies the key exchange algorithm;
- RSA signifies the authentication algorithm;
- AES_256_CBC indicates the bulk encryption algorithm; and
- SHA indicates the MAC algorithm.
So if you disable TLS1.0, it does not means that all the cipher used in that string will be disabled. TLS 1.1, 1.2 and above may have the same cipher but of different key length. You can still disable the specific cipher individually using the IISCrypto. So if you disable TLS 1.0 and are on Win2008 R2, you can check out the remaining TLS1.1 and above - https://msdn.microsoft.com/en-us/library/windows/desktop/mt767780(v=vs.85).aspx, - Windows 2008 does not support TLS 1.1 and 1.2 and above https://msdn.microsoft.com/en-us/library/windows/desktop/ff468651(v=vs.85).aspx
cypher suites and transport layer are two different items. if you enable/disable a cypher suite it applies to all transport layers.
I recommend using the utility to make these changes. Enable only the protocols that you need, then in the center panel, you can enable/disable specific ciphers that you want to allow.
Dan