asked on
How do I disable outdated and vulnerable ciphers on windows server without affecting RDP and Plesk access?
I have a Windows Server 2016 hosted on AWS EC2 using Plesk Onyx as a hosting control panel. It is a shared server and hosts multiple websites.
We have a requirement for one of our shared hosting clients to make their website and therefore our server PCI compliant in order to host a credit card payment page. One of the requirements is to disable the following outdated or vulnerable ciphers:
TLS_RSA_WITH_AES_256_GCM_S
TLS_RSA_WITH_AES_128_GCM_S
TLS_RSA_WITH_AES_256_CBC_S
TLS_RSA_WITH_AES_128_CBC_S
TLS_RSA_WITH_AES_256_CBC_S
TLS_RSA_WITH_AES_128_CBC_S
TLS_RSA_WITH_3DES_EDE_CBC_
It is also a requirement to disable TLS 1.1.
However, I have the following concerns if the above changes are applied:
1. Disabling 3DES will create an issue accessing my server via remote desktop (RDP)
2. Disabling TLS 1.1 will break Plesk (latest version) Admin interface
3. Disabling the ciphers and TLS 1.1 will cause issues for visitors using Windows XP or outdated browsers.
I'm not too concerned about the last issue but am very concerned about not being able to access RDP and Plesk. Indeed applying these changes will likely lock me out of my server completely which can only be resolved through direct physical server access.
Is anyone aware of a workaround to resolve these issues? If need be we will consider a dedicated server just to satisfy our PCI compliant websites.
We have a requirement for one of our shared hosting clients to make their website and therefore our server PCI compliant in order to host a credit card payment page. One of the requirements is to disable the following outdated or vulnerable ciphers:
TLS_RSA_WITH_AES_256_GCM_S
TLS_RSA_WITH_AES_128_GCM_S
TLS_RSA_WITH_AES_256_CBC_S
TLS_RSA_WITH_AES_128_CBC_S
TLS_RSA_WITH_AES_256_CBC_S
TLS_RSA_WITH_AES_128_CBC_S
TLS_RSA_WITH_3DES_EDE_CBC_
It is also a requirement to disable TLS 1.1.
However, I have the following concerns if the above changes are applied:
1. Disabling 3DES will create an issue accessing my server via remote desktop (RDP)
2. Disabling TLS 1.1 will break Plesk (latest version) Admin interface
3. Disabling the ciphers and TLS 1.1 will cause issues for visitors using Windows XP or outdated browsers.
I'm not too concerned about the last issue but am very concerned about not being able to access RDP and Plesk. Indeed applying these changes will likely lock me out of my server completely which can only be resolved through direct physical server access.
Is anyone aware of a workaround to resolve these issues? If need be we will consider a dedicated server just to satisfy our PCI compliant websites.
Windows Server 2016Plesk* ciphersAWS* pci compliance
Last Comment
Seth Simmons
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
For RDP, the concern is that TLS1.0 still needed. You can check this past discussion. Ultimately it is a risk acceptance. So mitigating measures can be taken like having web application firewall or subscribing to a cloud provider like cloudflare to fend against web based attack.
https://www.experts-exchange.com/questions/29051801/Triple-DES-168-breaks-RDP-to-windows-server-2012-r2-from-windows-10.html
Same applies if you need to run the services. In fact client of lower OS should slowly be deprecated or upgraded. Your priority would have to take a risk based approach to support the majority of updated client instead.
https://www.experts-exchange.com/questions/29051801/Triple-DES-168-breaks-RDP-to-windows-server-2012-r2-from-windows-10.html
Same applies if you need to run the services. In fact client of lower OS should slowly be deprecated or upgraded. Your priority would have to take a risk based approach to support the majority of updated client instead.
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Hello mike99c
As serialband already mentioned TLS 1.2 is well supported.
I suggest you use the below tool as it gives a list of ciphers already Installedbin a glance
https://www.nartac.com/Products/IISCrypto/
The Client and the Server before they do a Successfully Handshake they share the list of available cipher to choose the latest and most secure Encryption.
To find out what they are using now between your client and server when doing a RDP session Install on your PC Wireshark or Netmon (whatever suits).
1. Start capturing traffic
2. Do a RDP connection to server
3. Stop capturing traffic
4. In Wireshark filter the traffic by up.addr == ip_address_if_server
5. At the beginning of the communication you should see TLS traffic, successfully handshake traficc in the details of packet you will find the cipher they decided to use for encryption.
If your PC is a really old client I would suggest before disabling TLS to install latest Ciphers on few PCs so you will not loose RDP in case of problems. Once you find out what CIpoher you client are missing you can Google and find out if there are security patches for your client.
I saw that Microsoft few times even release patches for Windows Server 2003.
About Windows XP. I don't know what your situation is. Why you would allow guests to connect to your network with a outdated OS. But there is not much you can do about it. Either you want to protect your servers/network or you want to have open holes for outdated OS.
Those Guests PC, what are they? Private machines of users or machines which you have control over and can apply patches?.
If it's the first one then you could Install a blank windows XP use again Wireshark to find out the default cipher it has and leave you server open for hacking, or you can be strict and just not allow outdated Windows in your network.
If it's the second one then patch those windows machine then disable TLS.
Same is with Plesk. If you are concerned that the communication will break then patch that application if possible and then disable the old Ciphers.
If you struggle with the Wireshark log you can send me the example traffic privately (don't share Wireshark logs public)
As serialband already mentioned TLS 1.2 is well supported.
I suggest you use the below tool as it gives a list of ciphers already Installedbin a glance
https://www.nartac.com/Products/IISCrypto/
The Client and the Server before they do a Successfully Handshake they share the list of available cipher to choose the latest and most secure Encryption.
To find out what they are using now between your client and server when doing a RDP session Install on your PC Wireshark or Netmon (whatever suits).
1. Start capturing traffic
2. Do a RDP connection to server
3. Stop capturing traffic
4. In Wireshark filter the traffic by up.addr == ip_address_if_server
5. At the beginning of the communication you should see TLS traffic, successfully handshake traficc in the details of packet you will find the cipher they decided to use for encryption.
If your PC is a really old client I would suggest before disabling TLS to install latest Ciphers on few PCs so you will not loose RDP in case of problems. Once you find out what CIpoher you client are missing you can Google and find out if there are security patches for your client.
I saw that Microsoft few times even release patches for Windows Server 2003.
About Windows XP. I don't know what your situation is. Why you would allow guests to connect to your network with a outdated OS. But there is not much you can do about it. Either you want to protect your servers/network or you want to have open holes for outdated OS.
Those Guests PC, what are they? Private machines of users or machines which you have control over and can apply patches?.
If it's the first one then you could Install a blank windows XP use again Wireshark to find out the default cipher it has and leave you server open for hacking, or you can be strict and just not allow outdated Windows in your network.
If it's the second one then patch those windows machine then disable TLS.
Same is with Plesk. If you are concerned that the communication will break then patch that application if possible and then disable the old Ciphers.
If you struggle with the Wireshark log you can send me the example traffic privately (don't share Wireshark logs public)
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.
I have recommended this question be closed as follows:
Split:
-- 'serialband' (https:#a42827174)
-- 'David Favor' (https:#a42826538)
If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.
seth2740
Experts-Exchange Cleanup Volunteer
I have recommended this question be closed as follows:
Split:
-- 'serialband' (https:#a42827174)
-- 'David Favor' (https:#a42826538)
If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.
seth2740
Experts-Exchange Cleanup Volunteer
I think that it was just 1.0.
TLS 1.2 is sometimes not very well supported by servers and clients.