pramod1
asked on
Vulnerability, security, SSL/TLS, Active directory,
Our security team ran an external VM scan on DMZ and had some vulnerabilities.
i have 1 question:
SSL/TLS server supports TLSv1.0 vulnerability ( 38628) does not provide much info for windows server 2008 (R2) servers.
we looked at this article . https://blog.qualys.com/ssllabs/2014/12/08/poodle-bites-tls
we are not sure if this is a legitimate vulnerability or false positive.
solution is to opnessl but we do not have it installed.
could you please let me know with some more information to see if this protocol (TLSv1.0) needs to be disabled or we can disregard.
there is 1 article i searched - https://blogs.msdn.microsoft.com/friis/2016/0725/disabling-tls-1-0-on-your-windows-2008-r2-server-just-because-you-still-have-one
above links list instructions to disable 1.0 and enable 1.1 and 1.2
i need to compile the list , can you provide any thoughts of the top link above, how should i make changes ??
i have 1 question:
SSL/TLS server supports TLSv1.0 vulnerability ( 38628) does not provide much info for windows server 2008 (R2) servers.
we looked at this article . https://blog.qualys.com/ssllabs/2014/12/08/poodle-bites-tls
we are not sure if this is a legitimate vulnerability or false positive.
solution is to opnessl but we do not have it installed.
could you please let me know with some more information to see if this protocol (TLSv1.0) needs to be disabled or we can disregard.
there is 1 article i searched - https://blogs.msdn.microsoft.com/friis/2016/0725/disabling-tls-1-0-on-your-windows-2008-r2-server-just-because-you-still-have-one
above links list instructions to disable 1.0 and enable 1.1 and 1.2
i need to compile the list , can you provide any thoughts of the top link above, how should i make changes ??
TLS 1.0 has protocol design flaws that make it vulnerable. All sites that require PCI compliance should have it disabled already. TLS 1.2 is the current standard, with TLS 1.3 recently ratified (though it will not be available for Windows 2008 R2. Most things that support TLS 1.2 also support TLS 1.1, so it might be possible to just go 1.2 only.
What is being secured? Lots of other software like RDP and Outlook may require updates before they run properly over TLS 1.2.
What is being secured? Lots of other software like RDP and Outlook may require updates before they run properly over TLS 1.2.
Same as the expert mentioned. You can see advisory from the authority on best practice and from community. In order to ensure that only strong cryptographic ciphers are selected the server must be modified to disable the use of weak ciphers and to configure the ciphers in an adequate order.
https://www.us-cert.gov/ncas/alerts/TA15-120A
https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#Rule_-_Only_Support_Strong_Protocols
Also TLS 1.3 has been published as of August 2018. More info below.
https://kinsta.com/blog/tls-1-3/#security-tls-1.3
For tool wise I suggest upu check out iiscrypto which help to enable the strong cipher.
https://www.nartac.com/Products/IISCrypto/
https://www.us-cert.gov/ncas/alerts/TA15-120A
https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#Rule_-_Only_Support_Strong_Protocols
Also TLS 1.3 has been published as of August 2018. More info below.
https://kinsta.com/blog/tls-1-3/#security-tls-1.3
For tool wise I suggest upu check out iiscrypto which help to enable the strong cipher.
https://www.nartac.com/Products/IISCrypto/
SSL/TLS server supports TLSv1.0 vulnerability ( 38628) does not provide much info for windows server 2008 (R2) servers.Very real.
we looked at this article . https://blog.qualys.com/ssllabs/2014/12/08/poodle-bites-tls
we are not sure if this is a legitimate vulnerability or false positive.
above links list instructions to disable 1.0 and enable 1.1 and 1.2Disable 1.1 as well. Only keep 1.2 or higher. If you have systems that won't work with safe versions of TLS, either look at a reverse proxy or upgrading the systems.
Before you disable TLSv1.0, make sure you identify and remove/fix all dependencies - all applications / systems that support only TLSv1.0
We had recently disabled TLS on our domain - regedit on all DC's
We had run network trace to see TLSv1.0 traffic to domain controllers, and then contact the server owner to get the TLS dependency addressed.
We had recently disabled TLS on our domain - regedit on all DC's
We had run network trace to see TLSv1.0 traffic to domain controllers, and then contact the server owner to get the TLS dependency addressed.
ASKER
ok so i should go for TLS 1.2 ., can you tell where in i should enable it ?
ASKER
do i need to do registry change in order to enable tls
You could use a tool like IISCrypto, or you can just make changes in the registry.
Assuming Server 2008 R2: https://community.ipswitch .com/s/art icle/How-t o-Enable-T LS-1-1-TLS -1-2-on-Wi ndows-Serv er-2008-R2
Also, watch which ciphers are enabled.... this is where IISCrypto will definitely be your friend in terms of keeping things easy.
Assuming Server 2008 R2: https://community.ipswitch
Also, watch which ciphers are enabled.... this is where IISCrypto will definitely be your friend in terms of keeping things easy.
ASKER
Does the server requires reboot
Yes, reboot is required.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
How do I know if my server is using tls1.0 or sslv3 and if found yes how should I disable
ASKER
I am doing the changes now , how to validate that it is successful?
Run IISCrypto. It should show you what is and is not enabled.
You can test settings at https://ssllabs.com
ASKER
I made the change any other way to test as server is rebooting
ASKER
I can’t connect to that site it is blocked
Blocked by what?
https://www.ssllabs.com/ss ltest
https://www.ssllabs.com/ss
ASKER
Company policy any other way
ASKER
I can check tls is working ok
ASKER
Don’t see any errors in event logs
ASKER
thanks all experts, I will get back tomorrow , some body will scan to see if it is enabled
The server doesn't need outbound access to SSL Labs. SSL Labs needs access to the server. You can initiate check from a cell phone.
The nmap scanner, via the “–sV” scan option, is able to identify SSL services. Another is SSLScan which is a free command line tool that scans a HTTPS service to enumerate what protocols and what ciphers the HTTPS service supports.
https://www.owasp.org/index.php/Testing_for_SSL-TLS_(OWASP-CM-001)#SSL_Testing_Criteria
https://www.owasp.org/index.php/Testing_for_SSL-TLS_(OWASP-CM-001)#SSL_Testing_Criteria
ASKER
I am still working , need to keep thread open till Saturday..
ASKER
It is workgroup how can I find if it is remediated
ASKER
How can I disable tls1.0 as it is not showing tls 1.2 test should do how all tls versions
Use the SSL Labs test. It checks for each version for you, as well as checking which ciphers.
If you alright with test tool can consider.
1) NMAP and download the ssl-enum-ciphers.nse nmap script. How to use it in this readme page One example is as below
List ciphers supported by an HTTP server
$ nmap --script ssl-enum-ciphers -p 443 www.example.com
2) Another is SSLScan which is a free command line tool that scans a HTTPS service to enumerate what protocols (supports SSLv2, SSLv3 and TLS1) and what ciphers the HTTPS service supports.
1) NMAP and download the ssl-enum-ciphers.nse nmap script. How to use it in this readme page One example is as below
List ciphers supported by an HTTP server
$ nmap --script ssl-enum-ciphers -p 443 www.example.com
2) Another is SSLScan which is a free command line tool that scans a HTTPS service to enumerate what protocols (supports SSLv2, SSLv3 and TLS1) and what ciphers the HTTPS service supports.
ASKER
I got the answer from ssl link
But is it ok to leave tls1.0 1.1 working with 1.2 or should I remove 1.0 if so
Can u share a link where and how to disable 1.0
But is it ok to leave tls1.0 1.1 working with 1.2 or should I remove 1.0 if so
Can u share a link where and how to disable 1.0
Suggest this article on disabling TLS 1.0
https://blogs.msdn.microsoft.com/friis/2016/07/25/disabling-tls-1-0-on-your-windows-2008-r2-server-just-because-you-still-have-one/
You should disable it and test any impact to access from clients
https://blogs.msdn.microsoft.com/friis/2016/07/25/disabling-tls-1-0-on-your-windows-2008-r2-server-just-because-you-still-have-one/
You should disable it and test any impact to access from clients
https://blog.varonis.com/ssl-and-tls-1-0-no-longer-acceptable-for-pci-compliance/
https://www.globalsign.com/en/blog/poodle-vulnerability-expands-beyond-sslv3-to-tls/