SSL

Disable unsafe ciphers and SSL 2.0/3.0 on your server

One step to improve the security on your servers, would be to disable SSL 2.0 and 3.0 as well as the unsafe ciphers RC4. This can be done using the following registry changes on your server.
Note: When you disable SSL 2.0 and 3.0 on your servers, clients will no longer be able to connect using that. See this post for additional reference.

RC4 Cipher

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
"Enabled"=dword:00000000

SSL 2.0 and 3.0

Windows Registry Editor Version 5.00
[HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]
"Enabled"=dword:00000000
[HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]
"Enabled"=dword:00000000

References:
https://en.wikipedia.org/wiki/RC_algorithm
https://jesperarnecke.wordpress.com/2014/04/24/web-server-security-ssltls/
https://technet.microsoft.com/en-us/library/dn786418.aspx

Advertisements

Web Server security – SSL/TLS

Following the recent attention from the Heartbleed vulnerability, it might be a good idea to have a look at your general SSL/TLS configuration. Being unable to write something more accurate I’ve only supplied to links which details out SSL/TLS versions and support on the different Windows O/S and a free SSL testing tool.
Which protocol is used depends on the server/client negotiated compatibility level. It will, by default use highest possible. – However exploiters will always use lowest possible 🙂

Support for SSL/TLS protocols on Windows
http://blogs.msdn.com/b/kaushal/archive/2011/10/02/support-for-ssl-tls-protocols-on-windows.aspx

SSL Test tool
https://www.ssllabs.com/ssltest/