Comments on: Windows / IIS SSL – Restrict Weak Ciphers http://www.curtis-lamasters.com/2008/06/21/windows-iis-ssl-restrict-weak-ciphers/ Another TechBlog Tue, 25 May 2010 18:20:21 +0000 hourly 1 http://wordpress.org/?v=3.0 By: Removing weak ciphers / protocols from Windows Server 2003 IIS 6 « Jonathan McLeod Blog http://www.curtis-lamasters.com/2008/06/21/windows-iis-ssl-restrict-weak-ciphers/comment-page-1/#comment-482 Removing weak ciphers / protocols from Windows Server 2003 IIS 6 « Jonathan McLeod Blog Tue, 25 May 2010 18:20:21 +0000 http://www.curtis-lamasters.com/?p=86#comment-482 [...] http://www.curtis-lamasters.com/2008/06/21/windows-iis-ssl-restrict-weak-ciphers/ [...] [...] http://www.curtis-lamasters.com/2008/06/21/windows-iis-ssl-restrict-weak-ciphers/ [...]

]]> By: Steve http://www.curtis-lamasters.com/2008/06/21/windows-iis-ssl-restrict-weak-ciphers/comment-page-1/#comment-193 Steve Thu, 21 May 2009 19:31:48 +0000 http://www.curtis-lamasters.com/?p=86#comment-193 Hello In reply to John It does scan any and all servers behind the public ip... Assuming that this is a netscaler / load balancer for multiple web servers. The Virtual IP assigned represents all of the backend physical ips associated to the individual web sites. Best bet is to determine the physical ips associated to the Virtual IP that is throwing a positive from the scan. When that is done you'll need to find the actual servers that these reside on. Apply these patches as directed above to those servers. Make sure you capture / back up the existing entries in the registry as I have seen this cause client issues with non IE browsers. Good Luck! Steve Hello
In reply to John

It does scan any and all servers behind the public ip… Assuming that this is a netscaler / load balancer for multiple web servers. The Virtual IP assigned represents all of the backend physical ips associated to the individual web sites. Best bet is to determine the physical ips associated to the Virtual IP that is throwing a positive from the scan. When that is done you’ll need to find the actual servers that these reside on. Apply these patches as directed above to those servers. Make sure you capture / back up the existing entries in the registry as I have seen this cause client issues with non IE browsers.

Good Luck!

Steve

]]> By: John http://www.curtis-lamasters.com/2008/06/21/windows-iis-ssl-restrict-weak-ciphers/comment-page-1/#comment-192 John Mon, 27 Apr 2009 23:56:12 +0000 http://www.curtis-lamasters.com/?p=86#comment-192 Hello, I am having the same problems with these ciphers and security metrics. I have disabled everything lower than 128 and I am still not passing the scan. Does anyone know if security metrics scans every server and workstation behind our Public IP or is it just the server that is port forwarded? I have been working on this for almost a month now and the security metrics tech support is of no help at ALL (what a joke), they do not even know what their tests scans!! Any help would be greatly appreciated. Thanks! Hello,

I am having the same problems with these ciphers and security metrics. I have disabled everything lower than 128 and I am still not passing the scan. Does anyone know if security metrics scans every server and workstation behind our Public IP or is it just the server that is port forwarded? I have been working on this for almost a month now and the security metrics tech support is of no help at ALL (what a joke), they do not even know what their tests scans!! Any help would be greatly appreciated.

Thanks!

]]> By: clamasters http://www.curtis-lamasters.com/2008/06/21/windows-iis-ssl-restrict-weak-ciphers/comment-page-1/#comment-190 clamasters Mon, 30 Mar 2009 17:00:05 +0000 http://www.curtis-lamasters.com/?p=86#comment-190 Your mileage may vary. I have run this on 30 plus servers with zero issues but usually depending on the OS/Browser version of the client viewing the site/application, you may experience issues. Your mileage may vary. I have run this on 30 plus servers with zero issues but usually depending on the OS/Browser version of the client viewing the site/application, you may experience issues.

]]> By: Yong http://www.curtis-lamasters.com/2008/06/21/windows-iis-ssl-restrict-weak-ciphers/comment-page-1/#comment-189 Yong Mon, 30 Mar 2009 16:16:32 +0000 http://www.curtis-lamasters.com/?p=86#comment-189 Any of this alteration affect your application? Any of this alteration affect your application?

]]> By: Marty http://www.curtis-lamasters.com/2008/06/21/windows-iis-ssl-restrict-weak-ciphers/comment-page-1/#comment-184 Marty Fri, 27 Feb 2009 01:35:20 +0000 http://www.curtis-lamasters.com/?p=86#comment-184 Mahalo Nui Loa (Thank you very much in Hawaiian) Your solution worked great!!! Really appreciate you publishing it. Mahalo Nui Loa (Thank you very much in Hawaiian)

Your solution worked great!!! Really appreciate you publishing it.

]]> By: Calazan http://www.curtis-lamasters.com/2008/06/21/windows-iis-ssl-restrict-weak-ciphers/comment-page-1/#comment-180 Calazan Wed, 28 Jan 2009 00:53:37 +0000 http://www.curtis-lamasters.com/?p=86#comment-180 Thanks! We passed the SecurityMetrics PCI scan by following your instructions. Pav, for us we disabled the following: DES 56/56 RC2 40/128 RC4 40/128 RC4 56/128. And like the others said, SSL 2.0 support should also be disabled. Thanks! We passed the SecurityMetrics PCI scan by following your instructions.

Pav, for us we disabled the following:
DES 56/56
RC2 40/128
RC4 40/128
RC4 56/128.

And like the others said, SSL 2.0 support should also be disabled.

]]> By: » IIS Security Scan: The remote service supports the use of weak SSL ciphers Calazan.com: Share the Knowledge http://www.curtis-lamasters.com/2008/06/21/windows-iis-ssl-restrict-weak-ciphers/comment-page-1/#comment-179 » IIS Security Scan: The remote service supports the use of weak SSL ciphers Calazan.com: Share the Knowledge Wed, 28 Jan 2009 00:42:19 +0000 http://www.curtis-lamasters.com/?p=86#comment-179 [...] goes to this website for this solution: http://www.curtis-lamasters.com/2008/06/21/windows-iis-ssl-restrict-weak-ciphers/ addthis_url = [...] [...] goes to this website for this solution: http://www.curtis-lamasters.com/2008/06/21/windows-iis-ssl-restrict-weak-ciphers/ addthis_url = [...]

]]> By: Rick http://www.curtis-lamasters.com/2008/06/21/windows-iis-ssl-restrict-weak-ciphers/comment-page-1/#comment-177 Rick Thu, 22 Jan 2009 22:29:06 +0000 http://www.curtis-lamasters.com/?p=86#comment-177 Everyone's one a PCI compliance kick...this: http://support.microsoft.com/kb/245030/en-us tells how to only support SSL 3.0 or TLS 1.0 and not SSL 2.0 in a nutshell: regedit to HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols then set the below to dword "Enabled", value 0x0 \PCT 1.0\Client \PCT 1.0\Server \SSL 2.0\Client \SSL 2.0\Server Everyone’s one a PCI compliance kick…this: http://support.microsoft.com/kb/245030/en-us
tells how to only support SSL 3.0 or TLS 1.0 and not SSL 2.0

in a nutshell:
regedit to HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
then set the below to dword “Enabled”, value 0×0

\PCT 1.0\Client
\PCT 1.0\Server
\SSL 2.0\Client
\SSL 2.0\Server

]]> By: Pav http://www.curtis-lamasters.com/2008/06/21/windows-iis-ssl-restrict-weak-ciphers/comment-page-1/#comment-176 Pav Tue, 20 Jan 2009 14:37:36 +0000 http://www.curtis-lamasters.com/?p=86#comment-176 James, Joey - did it sort out Security Metrics for you. I'm still having problems with the ciphers. Let me know if you got it right. James, Joey – did it sort out Security Metrics for you. I’m still having problems with the ciphers. Let me know if you got it right.

]]>