Wednesday, June 17, 2015

Disable Weak Cipher Suites in Servers

Most of the servers support the use of SSL ciphers that offer medium strength
encryption, which we currently regard as those with key lengths at least 56
bits. This is considerably easier to exploit if the attacker is on the same
physical network.

Some of the such weak cipher suits are:
  • DES-CBC(56)
  • DES-CBC(40)
  • RC4(40)
  • RC2(40)

I was administering set of Windows servers and here are the steps that I followed to disable these weak cipher suits.

To enable/disable Weak Cipher Suites in Windows Server 2003:

Start Registry Editor (Regedt32.exe), and then locate the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL 
 
To enable this cipher algorithm, change the DWORD value data of the Enabled value to 0xffffffff. Or, change the DWORD value data to 0x0. If you do not configure the Enabled value, the default is enabled. This registry key does not apply to an exportable server that does not have an SGC certificate. 
 
To disable this cipher algorithm, change the DWORD value data of the Enabled value to 0x00000001.

To enable/disable Weak Cipher Suites in Windows Server 2008:

This will be completed later.

0 comments: