Sup? Welcome to the ups and downs of a young Systems Architect.
As mentioned in a previous article, I’ve recently been trying to lock down our IIS servers a little bit more, mainly for PCI compliance.
On these ventures something was noticed, the enabled RC4 protocols were not actually working!
We ummed, we arred to no result. After checking over Microsoft documentation, the problem became a little clearer.
It seems on Server 2008R2/IIS 7.5, simply setting the registry values for the ciphers to 1 wasn’t enough. They HAVE to be set to 0xfffffff or 4294967295 ;P
Something which was also noted was that TLS 1.1 and 1.2 hadn’t been activated, these also needed an extra registry key (Yep…)
So without much more jibberish, here’s the update Powershell functions/scripts to help aid you with making your IIS7.5 servers PCI compliant.
Now, that’s the ciphers and security protocols set up.
The last step to make your servers BEAST immune is to change the SSL cipher priority.
This is done by creating a GPO!
- At a command prompt, enter gpedit.msc. The Group Policy Object Editor appears.
- Expand Computer Configuration, Administrative Templates, Network, and then click SSL Configuration Settings.
- Under SSL Configuration Settings, click the SSL Cipher Suite Order setting.
- In the SSL Cipher Suite Order pane, scroll to the bottom of the pane.
- Follow the instructions labeled How to modify this setting.
It is necessary to restart the computer after modifying this setting for the changes to take effect.
The list of cipher suites is limited to 1023 characters.
See http://msdn.microsoft.com/en-us/library/windows/desktop/bb870930(v=vs.85).aspx for more indepth instructions.
The one thing to note for this, is that the RC4 ciphers NEED to be at the top of this list as they are immune to the BEAST attack.
A great write up of this by Steve Dispensa can be found over here http://www.phonefactor.com/blog/slaying-beast-mitigating-the-latest-ssltls-vulnerability.php
He even includes an example string for the cipher priorities!
But that’s that.. for now. If only we could move onto TLS1.2!