Vulnerability, security, SSL/TLS, Active directory,

Our security team  ran an external VM scan on DMZ and had some vulnerabilities.

i have 1 question:

SSL/TLS server supports TLSv1.0  vulnerability ( 38628) does not provide much info for windows server 2008 (R2) servers.
we looked at this article .  https://blog.qualys.com/ssllabs/2014/12/08/poodle-bites-tls

we are not sure if this is a legitimate vulnerability or false positive.

solution is to opnessl but we do not have it installed.

could you please let me know with some more information to see if this protocol (TLSv1.0) needs to be disabled or we can disregard.

there is 1 article i searched - https://blogs.msdn.microsoft.com/friis/2016/0725/disabling-tls-1-0-on-your-windows-2008-r2-server-just-because-you-still-have-one

above links list instructions to disable 1.0 and enable 1.1 and 1.2

i need to compile the list , can you provide any thoughts of the top  link above, how should i make changes ??
pramod1Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dr. KlahnPrincipal Software EngineerCommented:
In 2014 it was shown that SSL V3, TLS V1.0 and TLS V1.1 are subject to "POODLE" attacks.  None of these should be considered secure (not even after installing the recommended patches) and none should be used in environments where security is important.

https://blog.varonis.com/ssl-and-tls-1-0-no-longer-acceptable-for-pci-compliance/

https://www.globalsign.com/en/blog/poodle-vulnerability-expands-beyond-sslv3-to-tls/
0
kevinhsiehCommented:
TLS 1.0 has protocol design flaws that make it vulnerable. All sites that require PCI compliance should have it disabled already. TLS 1.2 is the current standard, with TLS 1.3 recently ratified (though it will not be available for Windows 2008 R2. Most things that support TLS 1.2 also support TLS 1.1, so it might be possible to just go 1.2 only.

What is being secured? Lots of other software like RDP and Outlook may require updates before they run properly over TLS 1.2.
0
btanExec ConsultantCommented:
Same as the expert mentioned. You can see advisory from the authority on best practice and from community. In order to ensure that only strong cryptographic ciphers are selected the server must be modified to disable the use of weak ciphers and to configure the ciphers in an adequate order.
https://www.us-cert.gov/ncas/alerts/TA15-120A
https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#Rule_-_Only_Support_Strong_Protocols

Also TLS 1.3 has been published as of August 2018. More info below.
https://kinsta.com/blog/tls-1-3/#security-tls-1.3

For tool wise I suggest upu check out iiscrypto which help to enable the strong cipher.
https://www.nartac.com/Products/IISCrypto/
0
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

masnrockCommented:
SSL/TLS server supports TLSv1.0  vulnerability ( 38628) does not provide much info for windows server 2008 (R2) servers.
we looked at this article .  https://blog.qualys.com/ssllabs/2014/12/08/poodle-bites-tls

we are not sure if this is a legitimate vulnerability or false positive.
Very real.

above links list instructions to disable 1.0 and enable 1.1 and 1.2
Disable 1.1 as well. Only keep 1.2 or higher. If you have systems that won't work with safe versions of TLS, either look at a reverse proxy or upgrading the systems.
0
subhashmTeam Lead - Directory ServicesCommented:
Before you disable TLSv1.0, make sure you identify and remove/fix all dependencies - all applications / systems that support only TLSv1.0

We had recently disabled TLS on our domain - regedit on all DC's
We had run network trace to see TLSv1.0 traffic to domain controllers, and then contact the server owner to get the TLS dependency addressed.
0
pramod1Author Commented:
ok so i should go for TLS 1.2 ., can you tell where in i should enable it ?
0
pramod1Author Commented:
do i need to do registry change in order to enable tls
0
masnrockCommented:
You could use a tool like IISCrypto, or you can just make changes in the registry.

Assuming Server 2008 R2: https://community.ipswitch.com/s/article/How-to-Enable-TLS-1-1-TLS-1-2-on-Windows-Server-2008-R2

Also, watch which ciphers are enabled.... this is where IISCrypto will definitely be your friend in terms of keeping things easy.
0
pramod1Author Commented:
Does the server requires reboot
0
kevinhsiehCommented:
Yes, reboot is required.
0
btanExec ConsultantCommented:
Suggest you do the necessary testing in your UAT server first. Or backup the registry first and if you make a mistake or something just isn't right, you can revert back. Testyour application too.

https://support.quovadisglobal.com/kb/a433/how-to-enable-tls-1_2-on-windows-server-2008-r2.aspx
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
pramod1Author Commented:
How do I know if my server is using tls1.0 or sslv3 and if found yes how should I disable
0
pramod1Author Commented:
I am doing the changes now , how to validate that it is successful?
0
masnrockCommented:
Run IISCrypto. It should show you what is and is not enabled.
0
kevinhsiehCommented:
You can test settings at https://ssllabs.com
0
pramod1Author Commented:
I made the change any other way to test as server is rebooting
0
pramod1Author Commented:
I  can’t connect to that site it is blocked
0
masnrockCommented:
0
pramod1Author Commented:
Company policy any other way
0
pramod1Author Commented:
I can check tls is working ok
0
pramod1Author Commented:
Don’t see any errors in event logs
0
pramod1Author Commented:
thanks all experts, I will get back tomorrow , some body will scan to see if it is enabled
0
kevinhsiehCommented:
The server doesn't need outbound access to SSL Labs. SSL Labs needs access to the server. You can initiate check from a cell phone.
0
btanExec ConsultantCommented:
The nmap scanner, via the “–sV” scan option, is able to identify SSL services. Another is SSLScan which is a free command line tool that scans a HTTPS service to enumerate what protocols and what ciphers the HTTPS service supports.
https://www.owasp.org/index.php/Testing_for_SSL-TLS_(OWASP-CM-001)#SSL_Testing_Criteria
0
pramod1Author Commented:
I am still working , need to keep thread open till Saturday..
0
pramod1Author Commented:
It is workgroup how can I find if it is remediated
0
pramod1Author Commented:
How can I disable tls1.0 as it is not showing tls 1.2 test should do how all tls versions
0
masnrockCommented:
Use the SSL Labs test. It checks for each version for you, as well as checking which ciphers.
0
btanExec ConsultantCommented:
If you alright with test tool can consider.
1) NMAP and download the ssl-enum-ciphers.nse nmap script. How to use it in this readme page One example is as below
List ciphers supported by an HTTP server
$ nmap --script ssl-enum-ciphers -p 443 www.example.com

2) Another is SSLScan which is a free command line tool that scans a HTTPS service to enumerate what protocols (supports SSLv2, SSLv3 and TLS1) and what ciphers the HTTPS service supports.
0
pramod1Author Commented:
I got the answer from ssl link

But is it ok to leave tls1.0 1.1 working with 1.2 or should I remove 1.0 if so

Can u share a link where and how to disable 1.0
0
btanExec ConsultantCommented:
Suggest this article on disabling TLS 1.0
https://blogs.msdn.microsoft.com/friis/2016/07/25/disabling-tls-1-0-on-your-windows-2008-r2-server-just-because-you-still-have-one/
You should disable it and test any impact to access from clients
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
tls/ssl

From novice to tech pro — start learning today.