Harden Microsoft Windows IIS SSL Protocols, chipers, hashes and key exchange algorithms.

Harden Microsoft Windows IIS SSL Protocols, chipers, hashes and key exchange algorithms.

In order to meet PCI and FIPS 140-2 and other security complaiance. It might be neccesary to harden and disable SSL 2.0 on IIS Servers. Configure servers to only allow SSL 3.0, TLS 1.0, TLS 1.1, or higher connections. SSLv3 has been supported by the major browsers since 1996.

This is also describe in the following articles:

  • For IIS, this can be performed by modifying the registry key:

HKey_Local_MachineSystemCurrentControlSetControlSecurityProviders SCHANNELProtocols and changing the DWORD value for SSL 2.0 to 00 00 00 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server\Enabled 0x00000000 (0) DWORD (32-bit) Value

  • For Apache, this can be performed by modifying the OpenSSL configuration file to add the following line (removes all ciphers and replace with High and Medium >128-bit):

IIS Crypto Screenshot:

Screenshot1

SSLScan Screenshot:

Untitled - Paint_2014-02-25_15-57-05

 

Force Client side browsers to use SSL 3.0 and TLS 1,2

(Disable SSL 2.0 and TLS 1.x)

IEChipers

Reference:

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s