We received an audit from our local cyber security team in which one of our servers displays "Insufficient Transport Layer Protection".
According to their description:
"
DESCRIPTION:
The server supports the following weak ciphers:
TLS_RSA_WITH_3DES_EDE_CBC_SHA [0x0a] RSA 3DES 168
These ciphers are known to have cryptographic weaknesses that make them unsuitable for use in SSL/TLS.
"
The solution they've provided are as follows:
"
SOLUTION: We recommend disabling support for the export and null cipher suites, as well as cipher suites using RC4/3DES. Instead, we suggest AES128-SHA for TLS 1.0 and 1.1, and AES128-GCM-SHA256 for TLS 1.2.
"
In an attempt to rectify this, this is what I have done so far:
- Run -> gpedit.msc -> Computer Configuration -> Administrative Templates -> Network -> SSL Configuration Settings
- Clicked on SSL Cipher Suite Order
- Clicked on radio button "Enabled"
Replaced the string of supported cipher suites with this one:
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,SSL_CK_DES_192_EDE3_CBC_WITH_MD5
Rebooted server and ran retest using nmap utility application.
We ran a retest on our server, and it appears the vulnerability is still outgoing:
Our box is a Windows 2008 R2 server.
Is there another method on how to solve this issue?
Answer
the new cipher suite string you installed still has 3DES ciphers in it. Get rid of anything in the list with the word DES.
No comments:
Post a Comment