Re: Disabling Weak Ciphers And SSLv2 in Windows 2008 IIS 7
- From: keithinsac <keithinsac@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 4 Aug 2009 09:27:01 -0700
Thank you Ken. Any help you can provide is greatly appreciated. I have
uploaded an export of the schannel hive from a Windows 2008 server after the
registry settings import if you care to check it out for possible errors.
http://www.evansis.com/download/20090727_SCHANNEL.txt
Thanks! Keith
-------------------------
"Ken Schaefer" wrote:
According to:
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/1cf01f33-9cbe-4b76-b01c-83923c4cda04
your last reg key should disable SSL v2. I will look into the other things
you mention.
Cheers
Ken
"keithinsac" <keithinsac@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:0464877A-9F69-4FD7-9504-D29A3D0FAB1E@xxxxxxxxxxxxxxxx
I have a vulnerability scanning service that is detecting that weak
ciphers
(<128bit)and SSL v2 are available on installations of W2k8/IIS7. I have
been
through at a minimum 20 forums, blogs and posts and they all seem to point
to
the traditional registry settings update that we've been doing since W2k.
I
have had my admins import these settings and confirmed them and they don't
see to do the job (post configuration change, reboot, rescan). Below are
the
contents of the reg file I have requested they import, but alas it's still
showing in the post scan. I have seen in one article
(http://learn.iis.net/page.aspx/144/how-to-setup-ssl-on-iis-70/) that you
can
Require SSL at a site level through the IIS Manager, but I want to secure
this through the server level and not just site-by-site.
Registry Settings:
----------------------------------------------------------------------------
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES
56/56]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2
40/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2
56/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4
40/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4
56/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4
64/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT
1.0\Server]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL
2.0\Server]
"Enabled"=dword:00000000
----------------------------------------------------------------------------
Please assist. Thank you, Keith
.
- References:
- Re: Disabling Weak Ciphers And SSLv2 in Windows 2008 IIS 7
- From: Ken Schaefer
- Re: Disabling Weak Ciphers And SSLv2 in Windows 2008 IIS 7
- Prev by Date: Re: Disabling Weak Ciphers And SSLv2 in Windows 2008 IIS 7
- Next by Date: anonymous users accounts into Exchange 2007 OWA
- Previous by thread: Re: Disabling Weak Ciphers And SSLv2 in Windows 2008 IIS 7
- Next by thread: Re: Disabling Weak Ciphers And SSLv2 in Windows 2008 IIS 7
- Index(es):
Relevant Pages
|
