none
Directaccess 2012 PCI Compliance - Null Ciphers RRS feed

  • Question

  • Hi All,

    We recently had a PCI check carried and the DA server in particular flagged up with the following

    SSL Null Cipher Suites Supported

    443/tcp

    www

    Vulnerability

    4.3

    The remote service supports the use of null SSL ciphers.

    The remote host supports the use of SSL ciphers that offer no encryption at all. Note: This is considerably easier to exploit if the attacker is on the same physical network.

    SSL Null Cipher Suites Supported

    443/tcp

    www

    Vulnerability

    4.3

    The remote service supports the use of null SSL ciphers.

    The remote host supports the use of SSL ciphers that offer no encryption at all. Note: This is considerably easier to exploit if the attacker is on the same physical network.

    We do have windows 8 clients within our domain so I am not so sure if I can entirely disable this feature. I did come across another article which suggests removing the cipher however having attempted this resulted in no clients being able to connect whatsoever, win7 or win8..

    I am unable to paste the link but the topic was "SSL Server allows cleartext communication vulnerability - Direct Access Servers 2012 - PCI Scan"

    This what was suggested

    Hi,

    This becomes only a big problem if a client machine would request one of the NULL ciphers.

    Here a link to ob how to configure SSL ciphers over GPO unable to paste link

    You should not have e.g. a TLS_RSA_WITH_NULL_SHA256 in that list. 

    None of your DA clients would ever try to use that cipher anyway.

    Regards,

    Lutz

    The majority of our clients utilize Teredo with a few machines utilizing IP-HTTPS

    Was just curious if others have dealt with this in a different way? Or elected to ignore this part of a PCI scan


    • Edited by Gov M Wednesday, March 12, 2014 9:00 AM
    Wednesday, March 12, 2014 8:55 AM

All replies

  • Hi

    Null cipher was introduced in Windows 8 for performance enhancement purpose. In Windows 7 you have dual encapsulation witch can impact user performance. But the use of Null Cipher only concerns IPHTTPS, not IPSEC. have a look at IPSEc tunnels définitions at client-side in the wf.msc, it's not null cipher at all.

    From memory you should find something like SHA-256 for integrity and AES-CBC 128 for encryption on a Windows 8 DirectAccess enabled client (no longer have Windows 7).


    BenoitS - Simple by Design http://danstoncloud.com/blogs/simplebydesign/default.aspx

    • Proposed as answer by Anthirian Thursday, February 20, 2020 3:11 PM
    Wednesday, March 12, 2014 6:06 PM