Secured channel protocol on Windows web servers.


Our team is being told to investigate whether our Windows infrastructure contains misconfig encryption.  

I sample a few WIN2012 web servers, open up the registry and look at the secured channel settings.  I see TLS 1.1 client and TLS 1.1 server are enabled.  Some servers have SSL 2.0 client presents but not enabled.  No SSL 3 or TLS present.

Would somone educate me how the secured channel protocols being added into the registry?  

I understand that SSL 2 and 3 are old and they should be disabled.  What is the best way to ensure the disable process will not affect our current applications?

I usually deal with adding secured certificates to the web servers but do not pay attention of what schannel protcol is used.  

Thank you very much.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
Suggest using iiscrypto tool. It is a GUI that helps in setting the registry transparent to user. The list of actual registry is stated in link. Note that each registry key has an "Enabled" value that is set. The protocols have an additional value named "DisabledByDefault" that is also set.

IIS Crypto also supports pre-defined templates that can be set with a single button click:

PCI - Disables everything except SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2, RC4 128, Triple DES 168, AES 128, AES 256, MD5, SHA1, DH and PKCS.
I set these using Group Policy -- then I have another sub-OU that does not inherit the settings in case there is some conflict so I can easily move server from one OU to another to troubleshoot. I used Gibsons Research as a starting point for what ciphers to enable. From there I used a subscription to Qualys SSL Labs to dig deeper into what I really didn't need.

Manually setting these will make you start to see other things on the network you may not have considered..for example..when I updated the ciphers I didn't think about copy machines and when users scan their badge to authenticate against the print server.
btanExec ConsultantCommented:
Specifically the registry of concern for the SSL and TLS are required and found in the SCHANNEL settings.
HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client
HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server
HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client
HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server
HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client
HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server
HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client
HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server
HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client
HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server
Under each key, there are two values that can be set, Enabled and DisableByDefault. RDP has been seen issue hence TLS1.0 has been enabled. otherwise, you should go for TLS1.2 and leaving the rest disabled (minimally SSL2/3 must be disabled)
Cloud as a Security Delivery Platform for MSSPs

Every Managed Security Service Provider (MSSP) needs a platform to deliver effective and efficient security-as-a-service to their customers. Scale, elasticity and profitability are a few of the many features that a Cloud platform offers. View our on-demand webinar to learn more!

nav2567Author Commented:
I do not see TLS 1.2 on every server.  I also notice that the list of secured channel protocols on each server is different.  What do Windows 2008 and Windows 2012 supposed to have by default?

What is the different between TLS 1.1 client and TLS 1.1 server let's say on a IIS WEB server?

btanExec ConsultantCommented:
Default cipher setting can be found in listing. Go into the OS section of interest, the cipher suites are enabled and in this priority order by default by the Microsoft Schannel Provider:

The ordering of those using weak cipher is lower.

For 2012 - TLS 1.2, TLS 1.1, TLS 1.0, SSL 3.0
For 2008 - TLS 1.0, SSL 3.0, SSL 2.0

Same protocol will talke to each other. What is important for Client and server is to negotiate to having the TLS level the same then they can start exchange of data. Eventually in consensus there may be the lowering of cipher when either party cannot "speak" on a stronger cipher. Let say server is TLS 1.2 and client support till 1.1 only. Server will then find in its priority list a lower cipher, in this case, 1.1 to match client level. The Exchange will then be based on TLS 1.1.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
For author advice
btanExec ConsultantCommented:
No further inputs received
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.