Windows / IIS SSL – Restrict Weak Ciphers

June 21, 2008

I have been on a little bit of a security kick lately with my time at work thwarting SQL injection attempts, securing web servers, firewall administration and so much more and have been doing some pretty repetitive tasks so I thought I’d put them up here to help me remember how to do these very important tasks.

This piece is on restricting weak ciphers within your SSL certificates.  Nessus and some other security auditing tools will detect this one with ease so there’s really no good excuse not to lock it down.  Basically what we are going to do is remove the ability for web clients (IE, Firefox, Safari, Opera, etc) connect to the web server with anything but 128 bit or greater SSL encryption.  This just sounds like a good deal anyway if you as me.

An example of a weak cipher is like I mentioned above, anything less that 128 bit encryption.  There are about a dozen methods of encryption from SSL_RSA_EXPORT1024_WITH_RC4_56_SHA to SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5.  Yes I know that sounds cryptic and it really is (pun intended).  So what we need to do is scan the host first.  You can use Tenable Nessus or your choice of scanning utility but we want to see what it comes up with.  Chances are if you were diligent during the setup of the server, you may not have to do this but if your the other 95% out there, then you will need to do the following.

Open "regedit" and find the key
HKLMSYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphers.

This will have a number of other subkeys below it.  Next we will want to disable anything that has a number less than 128 in it.  I.E. RC2 40/128 we will disable but RC2 128/128 we will not.  Clear as mud?  To disable the cipher click on the subkey that you want to disable and create a new DWORD value named Enabled.  In the value data keep it 0 in Hex.  This will disable the cipher from being able to run.  You could also create a registry import like the following.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphersRC2 40/128]
“Enabled”=dword:00000000

I would do this for RC2 40/128.  RC4 40/128 and RC4 56/128.  I feel better already.  Hopefully you will too after you get this done on your website.

NOTE: This may break some clients/servers/applications so I take no responsibility for YOUR actions. 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *


*