none
disable CBC mode cipher encryption, and enable CTR or GCM cipher mode encryption & disable MD5 and 96-bit MAC algorithms - Windows 2008 Std SP2

    Question

  • Friends,

    We have received Vulnerability scan report for our WS_FTP server and suggested below actions..

    1. SSH Server CBC Mode Ciphers Enabled - Disable CBC mode cipher encryption, and enable CTR or GCM cipher mode encryption.

    The following client-to-server Cipher Block Chaining (CBC) algorithms
    are supported :
    3des-cbc
    aes128-cbc
    aes192-cbc
    aes256-cbc
    blowfish-cbc

    The following server-to-client Cipher Block Chaining (CBC) algorithms
    are supported :
    3des-cbc
    aes128-cbc
    aes192-cbc
    aes256-cbc
    blowfish-cbc
    cast128-cbc

    2. SSH Weak MAC Algorithms Enabled - Disable MD5 and 96-bit MAC algorithms

    The following client-to-server Message Authentication Code (MAC) algorithms are supported :
    hmac-md5
    hmac-md5-96
    hmac-sha1-96
    The following server-to-client Message Authentication Code (MAC) algorithms are supported :
    hmac-md5
    hmac-md5-96
    hmac-sha1-96

    No Proper steps or Instructions are available on Internet regards to these two points, could you please suggest...

    Regards,

    SH,



    MCP, MCTS

    Monday, August 31, 2015 5:05 AM

Answers

  • Hi,

    To disable a certain cipher suite in SCHANNEL, we may edit the registry below:

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\CipherSuites]

    For detailed procedure, please refer to the link below:

    https://support.microsoft.com/en-us/kb/245030

    Best Regards.


    Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Monday, September 7, 2015 2:00 AM
    Moderator

All replies

  • Hi,

    To disable a certain cipher suite in SCHANNEL, we may edit the registry below:

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\CipherSuites]

    For detailed procedure, please refer to the link below:

    https://support.microsoft.com/en-us/kb/245030

    Best Regards.


    Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Monday, September 7, 2015 2:00 AM
    Moderator
  • While not "incorrect" Steven's answer is incomplete.

    The linked article is a very good description for how to enable and disable cipher suites like SSL 2.0 etc, but SH's pen test comments posted are also concerned about the mode of operation of the ciphers used - specifically about removing the use of CBC (Cipher Block Chaining) and using Counter (CTR) or Galois Counter (GCM). This is not fully covered in that answer.

    In order to direct how the transport security is negotiated in this more granular level, they will also need to look at the content and ordering of the Functions list. This controls the preferred order and what is acceptable when the transport security is negotiated between server/webserver and client/browser.

    HKLM\System\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002  Functions

    Removal of CBC modes of operation from the list would prevent their sucesful negociation, but removal of all CBC is likely to have negative impact. Adjusting this list must be done with great care as misconfiguration will prevent sucesful connections. Support for modern modes of block cipher operation such as e.g. AES-GCM are still not completely widespread (March 2016) in all clients/browsers and OS versions. 

    As with much of crypto, what might be appropriate for state top-secrets and what might be appropriate for information of very low confidentiality won't always be the same. A balanced approach for information assurance is needed depending on the categorization of the specific information and not an approach like CBC is "bad" GCM is "good".

    S.H. should probably return to his/her pen testers to discuss whether their specific use of CBC modes may be acceptable for a while longer until GCM is better adopted, before testing any adjustements to the Functions list.
    Tuesday, March 8, 2016 9:46 AM
  • Hi HI_SGH,

    Have you solve the problem? I got the same scan report from the auditor. Please kindly let me know if you have the solution. Thanks!

    Regards,

    Leo

    Tuesday, July 18, 2017 8:58 AM
  • Any update with your hunt for solution ?

    Please do share.

    Thanks.

    D

    Friday, November 3, 2017 5:02 PM