Securing your IIS Servers

CntdwnToExtn

Fully Optimized
Messages
1,746
Location
Parents Basement...Still
So, if you didn't know, SSLv3 is no longer a good way to secure your HTTPS transmissions. Heck, technically TLS 1.0 and 1.1 shouldn't even be used anymore.

The big thing that started this was the POODLE attack. In a nutshell, it was a problem with the CBC encryption scheme. This allowed(s) crackers to inject JavaScript into the users browser and view encrypted traffic. Hooray!!! o_O

So, what can be done?

First, from a browser perspective -- disabled SSLv3!!! If it's not already.

Second, get your IIS servers configured!

I've done all my changes through the registry and System Centre Configuration Manager 2012 R2 SP1. I did it this way instead of GPO because I didn't want the registry edits running every single time. SCCM allows me to push out the registry change through a .bat. I can then see who's successfully run, didn't or will. Those registry settings are then monitored through the Compliance section in SCCM.

For ease of this thread, I won't get into an SCCM deployment since not everyone has this...even though it's a sexy program!

Below is code for what areas do enable and disabled.
The area that SSL protocols are stored is the following:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\*SSL VERSION*\Client AND Server] <-- two sections. One for Client and one for Server

The main DWORDS are:

"DisabledByDefault"
"Enabled"

If you want a protocol to be used you need to set Enabled to 00000001 and DisabledByDefault to 00000000. This ensures the protocol is available (DisabledByDefault) and Enabled for use.

Below, I have SSL 2.0 and 3.0 disabled for Server and Client and all of TLS enabled. I have all TLS enabled for the sake of this article because not everyone can switch to TLS 1.2 due to some web applications/servers not supporting it. I've created a *note at the end as well to further talk about this.

Code:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL]
"EventLogging"=dword:00000001
"DisableRenegoOnServer"=dword:00000001
"UseScsvForTls"=dword:00000000
"AllowInsecureRenegoClients"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\CipherSuites]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"Enabled"=dword:00000001
"DisabledByDefault"=dword:00000000

After you use whatever deployment method you'd like, you MUST reboot for changed to take affect. It's a Microsoft server...of course you need to reboot. :annoyed:

Now, the nice part is TLS can negotiate. So when someone tries to connect to your web server, the browser and server will start a negotiation to see what the browser can handle. It starts and TLS 1.2 and works it's way down the list. Simple as that.

*Note: As mentioned, I have all of TLS enabled because some web applications can't support TLS 1.1 or 1.2. You need to be careful here though. I've ran into issues, for example with Oracle Weblogic version 10.3.5, that it doesn't even negotiate TLS 1.2 or 1.1 because it was released before these protocols existed. Weblogic actually won't return anything to the browser (or your reverse proxy) because it can't even negotiate. You're left with a blank page and users calling you!

In this case, you MUST disable TLS 1.2 and 1.1 in order for TLS 1.0 to work.

Fun ain't it.

Now, how much more is your web server configured?
You can use https://www.ssllabs.com/ to test your server! just enter in your domain name and it does the rest. *I always check off the box that says not to publish the results ;)
 
Top Bottom