none
How do you disable SSL\ CBC Ciphers and Weak Algorythms in Windows Server 2003

    Question

  • Hello, and please accept my humble thanks in advance.The problem that I'm having is the protocols listed below must be disabled on my Windows 2003 (IIS) Servers before we can pass a PCI audit. Now I've taken care of all of this on Windows 2008R2, but not without days and nights of searching the internet for information that is not only clear to understand but accurate, however, I'm not having much luck with 2003.

    Vulnerabilities:

    SSL Server Supports CBC Ciphers for SSLv3
    SSL Server Supports CBC Ciphers for TLSv1
    SSL Server Supports RC4 Ciphers for SSLv3
    SSL Server Supports RC4 Ciphers for TLSv1
    SSL Server Supports Weak MAC Algorithms for SSLv3
    SSL Server Supports Weak MAC Algorithms for TLSv1

    Here's what I've tried, I've done the registry edit as follows, it did not work;

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL]
    "EventLogging"=dword:00000001
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
    "Enabled"=dword:00000000
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]
    "Enabled"=dword:00000000
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
    "Enabled"=dword:00000000
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
    "Enabled"=dword:00000000
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
    "Enabled"=dword:00000000
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Client]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
    "Enabled"=dword:00000000
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
    "Enabled"=dword:00000000
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
    "Enabled"=dword:00000000
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]

    Here's what I've tried, I've installed the Microsoft Security Bulletin MS12-006 - Important Vulnerability in SSL/TLS Could Allow Information Disclosure (2643584), it did not work for those issues but it did close the SSLv2.0 problem.

    Is there ANY reason why the registry edit would not work?

    Again, thank you.

    Don

    Also,

    Has anyone seen or used this Hotfix... what is it and how would it relate to this issue.

    An update is available to adds support for the TLS_RSA_WITH_AES_128_CBC_SHA AES128-SHA and the TLS_RSA_WITH_AES_256_CBC_SHA AES256-SHA AES cipher suites in Windows Server 2003

    http://support.microsoft.com/kb/948963


    • Edited by Don_Jackson Monday, December 16, 2013 7:20 PM
    Monday, December 16, 2013 5:38 PM

All replies

  • Hi,

    Hope we could find helpful information in the below KB:

    How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll

    http://support.microsoft.com/kb/245030

    Please go through it.

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Regards, Yan Li

    Tuesday, December 17, 2013 7:00 AM
    Moderator
  • Thanks, I've read this at least three times... but this just happens to be one of the article that is the main cause of confusion, mostly because it does not separate OR explain (clearly) the differences in the registries. It's very clear as how this relates to Windows Server 2008r2, but that's it... and if you looked at what I've posted you'll see that what I've done to this point is what is in that article, but thanks for your help, it's really appreciated.
    Tuesday, December 17, 2013 2:38 PM
  • Have you installed that hotfix already?

    This update adds support for the following Advanced   Encryption Standard (AES) cipher suites   in the Schannel.dll module for Windows Server 2003:   

    • TLS_RSA_WITH_AES_128_CBC_SHA AES128-SHA
    • TLS_RSA_WITH_AES_256_CBC_SHA AES256-SHA

    These cipher suites are based on the RC4 algorithm.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Friday, December 20, 2013 11:43 AM
  • I've used Crypto,a freeware tool to manage the ciphers used on a server:

    https://www.nartac.com/Products/IISCrypto/


    Johan Loos

    Monday, December 23, 2013 7:33 AM