Secured channel protocol on Windows web servers.

nav2567
nav2567 used Ask the Experts™
on
Hello,

Our team is being told to investigate whether our Windows infrastructure contains misconfig encryption.  

I sample a few WIN2012 web servers, open up the registry and look at the secured channel settings.  I see TLS 1.1 client and TLS 1.1 server are enabled.  Some servers have SSL 2.0 client presents but not enabled.  No SSL 3 or TLS present.

Would somone educate me how the secured channel protocols being added into the registry?  

I understand that SSL 2 and 3 are old and they should be disabled.  What is the best way to ensure the disable process will not affect our current applications?

I usually deal with adding secured certificates to the web servers but do not pay attention of what schannel protcol is used.  

Thank you very much.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
btanExec Consultant
Distinguished Expert 2018
Commented:
Suggest using iiscrypto tool. It is a GUI that helps in setting the registry transparent to user. The list of actual registry is stated in link. Note that each registry key has an "Enabled" value that is set. The protocols have an additional value named "DisabledByDefault" that is also set.

https://www.nartac.com/Blog/post/2013/04/19/IIS-Crypto-Explained.aspx

IIS Crypto also supports pre-defined templates that can be set with a single button click:

PCI - Disables everything except SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2, RC4 128, Triple DES 168, AES 128, AES 256, MD5, SHA1, DH and PKCS.
Commented:
I set these using Group Policy -- then I have another sub-OU that does not inherit the settings in case there is some conflict so I can easily move server from one OU to another to troubleshoot. I used Gibsons Research as a starting point for what ciphers to enable. From there I used a subscription to Qualys SSL Labs to dig deeper into what I really didn't need.

https://www.grc.com/miscfiles/SChannel_Cipher_Suites.txt

Manually setting these will make you start to see other things on the network you may not have considered..for example..when I updated the ciphers I didn't think about copy machines and when users scan their badge to authenticate against the print server.
btanExec Consultant
Distinguished Expert 2018
Commented:
Specifically the registry of concern for the SSL and TLS are required and found in the SCHANNEL settings.
HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client
HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server
HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client
HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server
HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client
HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server
HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client
HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server
HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client
HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server
Under each key, there are two values that can be set, Enabled and DisableByDefault. RDP has been seen issue hence TLS1.0 has been enabled. otherwise, you should go for TLS1.2 and leaving the rest disabled (minimally SSL2/3 must be disabled)
https://blogs.technet.microsoft.com/cmpfekevin/2016/09/18/schannel-ssl-and-tls-registry-keys-reporting/
Starting with Angular 5

Learn the essential features and functions of the popular JavaScript framework for building mobile, desktop and web applications.

Author

Commented:
I do not see TLS 1.2 on every server.  I also notice that the list of secured channel protocols on each server is different.  What do Windows 2008 and Windows 2012 supposed to have by default?

What is the different between TLS 1.1 client and TLS 1.1 server let's say on a IIS WEB server?

Thanks.
Exec Consultant
Distinguished Expert 2018
Commented:
Default cipher setting can be found in listing. Go into the OS section of interest, the cipher suites are enabled and in this priority order by default by the Microsoft Schannel Provider:

https://msdn.microsoft.com/en-us/library/windows/desktop/aa374757(v=vs.85).aspx

The ordering of those using weak cipher is lower.

For 2012 - TLS 1.2, TLS 1.1, TLS 1.0, SSL 3.0
For 2008 - TLS 1.0, SSL 3.0, SSL 2.0

Same protocol will talke to each other. What is important for Client and server is to negotiate to having the TLS level the same then they can start exchange of data. Eventually in consensus there may be the lowering of cipher when either party cannot "speak" on a stronger cipher. Let say server is TLS 1.2 and client support till 1.1 only. Server will then find in its priority list a lower cipher, in this case, 1.1 to match client level. The Exchange will then be based on TLS 1.1.
btanExec Consultant
Distinguished Expert 2018

Commented:
For author advice
btanExec Consultant
Distinguished Expert 2018

Commented:
No further inputs received

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial