Question

Locked

Restrict Weak Ciphers in Windows Server 2003

By NadelOwesYou530 ·
I have scanned a server with Tenable Nessus 3 security auditing software and I keep getting these two items as a medium threat.

------------------------------

Supported SSL Ciphers Suites

Synopsis :
The remote service encrypts communications using SSL.

Description :
This script detects which SSL ciphers are supported by the remote
service for encrypting communications.

See also :
http://www.openssl.org/docs/apps/ciphers.html

Risk factor :
None

Plugin output :
Here is the list of SSL ciphers supported by the remote server :

Low Strength Ciphers (< 56-bit key)
SSLv3
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
TLSv1
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export

Medium Strength Ciphers (>= 56-bit and < 112-bit key)
SSLv3
DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1
TLSv1
DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1

High Strength Ciphers (>= 112-bit key)
SSLv3
DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES(16 Mac=SHA1
RC4-MD5 Kx=RSA Au=RSA Enc=RC4(12 Mac=MD5
RC4-SHA Kx=RSA Au=RSA Enc=RC4(12 Mac=SHA1
TLSv1
DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES(16 Mac=SHA1
RC4-MD5 Kx=RSA Au=RSA Enc=RC4(12 Mac=MD5
RC4-SHA Kx=RSA Au=RSA Enc=RC4(12 Mac=SHA1

The fields above are :
{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}


Nessus ID : 21643

------------------------------

Weak Supported SSL Ciphers Suites

Synopsis :
The remote service supports the use of weak SSL ciphers.

Description :
The remote host supports the use of SSL ciphers that offer either weak
encryption or no encryption at all.

See also :
http://www.openssl.org/docs/apps/ciphers.html

Solution :
Reconfigure the affected application if possible to avoid use of weak
ciphers.

Risk factor :
Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

Plugin output :
Here is the list of weak SSL ciphers supported by the remote server :

Low Strength Ciphers (< 56-bit key)
SSLv3
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
TLSv1
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export

The fields above are :
{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}

Nessus ID : 26928

------------------------------

I have found a couple web-sites with a solution that seems to work for everyone. You simply go to registry:
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers

Then you simply create a DWORD "Enabled" and add a Hex 0 in the field. This is necessary for all the ciphers with less that 128-bit encryption.

I currently have "Enabled = 0" in these keys:
DES 56/56
NULL
RC2 40/128
RC4 40/128
RC4 56/128

and I have "Enabled = 0" in Protocols:
PCT 1.0 - Server and Client
SSL 2.0 - Server and Client

I did not edit Ciphers:
RC2 128/128
RC4 128/128
Triple DES 168/168

and Protocols:
SSL 3.0
TLS 1.0

However, when I re-scan the machine, I still get the same vulnerabilities in Nessus 3. I have rebooted and still have the same result.

I am running a Windows Server 2003 OS, SP1 with up-to-date patches.

This server hosts a web server with ASP.NET applications installed and running.

Is there something I am missing other than the registry keys?

Please Advise.

This conversation is currently closed to new comments.

2 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

Did anyone has a solution?

by james.hon In reply to Restrict Weak Ciphers in ...

I have the exact problem but the scan still showing up the same sulnerabilities. We are using Windows 2003 server SP2. Can you let me know if there are other settings that I should check?
Thanks.

Back to Networks Forum
2 total posts (Page 1 of 1)  

Related Discussions

Related Forums