locked
UAG 2010 SP1 Update 1\Windows Server 2008 R2 and Cipher Suite\Protocol Settings RRS feed

  • Question

  • I am struggling to adjust the cipher suite and protocol settings in UAG SP1 Update 1.

    I've spent the last couple of days working on this, but none of the registry keys I am using appear to have any affect on the UAG default configuration.

    What started out as a simple quest to enable 256 bit client encryption has turned into a couple of days trying to figure out the best combination of protocol and cipher suite settings for the UAG.

    Out of the box when I run a query from ssllabs.com I get a score of 90 and reports that TLS1.0 and 'SSL 2.0+ upgrade support' is enabled and SSL2.0, TLS1.1, TLS1.2 and SSL3.0 are disabled and the following cipher suites are available:

    TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128
    TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256
    TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 168
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    (0xc013)
    128
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    (0xc014)

    256

    I cannot for the life of me manage to enable TLS1.1, TLS1.2 and SSL3.0. I have tried every combination listed on these websites, but nothing seems to have worked:

    http://blog.techstacks.com/2008/10/iis-disabling-sslv2-and-weak-ciphers.html

    http://blog.msfirewall.org.uk/2008/10/hardening-ssl-cipher-strength-and-ssl.html

    http://support.microsoft.com/default.aspx?scid=kb;EN-US;245030

    http://www.techieshelp.com/how-to-enable-ssl-3-0-server-2008-sbs-2008/

    Is anyone enable to confirm where I am going wrong?

    What have other administrators done with their UAG with regards to protocols and cipher suites.

    The config doesn't look bad out of the box but obviously I would like to try and improve it where possible to stay up to date with the latest standards and vulnerabilities.

    Thanks


    • Edited by glloyd78 Thursday, June 28, 2012 6:16 PM
    Thursday, June 28, 2012 6:14 PM

All replies

  • Can you provide some detail on the changes that you are making to try and understand where you are possibly going wrong?

    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    Wednesday, July 4, 2012 11:34 AM
  • Hi Jason,

    That sounds encouraging. Firstly, what I am trying to do is disable weak ciphers\protocols and enable additional ciphers\protocols in 2008 R2 to ensure that clients can negotiate with the strongest possible cipher\protocol available to them. I am not aiming for PCI compliance, just best practice without alienating users.

    Some of the difficulties have been to understand what protocols\ciphers are enabled\disabled by default in 2008 r2.

    I rebooted my UAG about 20 times last week trying different registry key combinations to check results, here is a summary of what I tried.

    The first thing I did was tried adding the new keys from this website to disable SSL2.0 and enable SSL3.0 and TLS1.0:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client\Enabled"=dword:00000000
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server\Enabled"=dword:00000000
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client\Enabled"=dword:00000001
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server\Enabled"=dword:00000001
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client\Enabled"=dword:00000001
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server\Enabled"=dword:00000001

    I also tried the above with the DisabledByDefault Key set to dword:00000000 for Enabled (SSL3.0 and TLS1.0) and dword:00000001 for Disabled (SSL2)

    After some testing I also added in the Cipher keys for 'RC2 128/128', 'RC4 128/128' and 'Triple DES 168/168':

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168

    After doing some more reading here - it talked about specifically excluding ciphers you don't want used, so I tried adding in the additional keys below to disable the additional ciphers:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56\Enabled=dword:00000000
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL\Enabled=dword:00000000
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128\Enabled=dword:00000000
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128\Enabled=dword:00000000
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128\Enabled=dword:00000000
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128\Enabled=dword:00000000

    According to this Microsoft Support Article, to enable TLS 1.1 and TLS 1.2 you need to set the DisabledByDefault=dword:00000000 so I tried that as well:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client\DisabledByDefault=dword:00000000
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server\DisabledByDefault=dword:00000000
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\DisabledByDefault=dword:00000000
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server\DisabledByDefault=dword:00000000

    and I also tried Enabled=dword:00000001 too:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client\Enabled"=dword:00000001
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server\Enabled"=dword:00000001
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\Enabled"=dword:00000001
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server\Enabled"=dword:00000001

    And lastly I tried the reg keys as shown here.

    Because I tried so many different combinations, one after the other, I may have ended up with a set of settings that contradicted each other.

    If you can point me to a set of instructions that I can implement from scratch, as I have cleared out all the keys back to the default 2008 R2 setting, it would be greatly appreciated!

    Thanks

    • Edited by glloyd78 Thursday, July 5, 2012 10:40 AM
    Thursday, July 5, 2012 10:38 AM