This week at our office we are undergoing a security audit. It’s always a good Idea to let your system being checked out by external guys who have some tricks up their sleeve. So to security cowboys armed with Linux laptops found a minor issue on my portal. Actually I’m really happy because I learned a new trick.
It turns out that SSLv2 is really old and easy to decipher, only clients who really have an old machine cannot enter over SSL anymore but XP with a recent browser will still work. Anyways they asked me to disable SSLv2 and let their pearl script do his magic. I passed 😉
Here’s what I had to do to turn it off and here ‘s a link to a GUID tool for the people without uber cool pearl scripts.
d
http://foundeo.com/products/iis-weak-ssl-ciphers/
Run the test now for a before and after test,
d
- Turn your WFE’s off and make a VMware snapshot if you use VM’s that is. better safe then sorry.
- Open regedit and place a DWORD key with the name “Enabled” and the default value off “0” (zero). at the following registry keys.
d
- HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56
- HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128
- HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128
- HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128and one more
- HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 2.0\Server
d
Now run the test again and your checkmarks are both green.
If you have any banking information you should also do something about the SSL 3.0 medium security to pass an audit. This is just voor SSL 2.0
By the way I did this on a Windows 2003 server with IIS 6.0 As I don’t know the exact keys for 2008 R2 yet but maybe it’s the same.
d
d
My SharePoint Scrapbook 