Sup? Welcome to the ups and downs of a young Systems Architect.

 

PCI, IIS7.5, BEAST Vulnerability… Done’n’dusted!

As mentioned in a previous article, I’ve recently been trying to lock down our IIS servers a little bit more, mainly for PCI compliance.

On these ventures something was noticed, the enabled RC4 protocols were not actually working!

We ummed, we arred to no result. After checking over Microsoft documentation, the problem became a little clearer.

It seems on Server 2008R2/IIS 7.5, simply setting the registry values for the ciphers to 1 wasn’t enough. They HAVE to be set to 0xfffffff or 4294967295 ;P

Something which was also noted was that TLS 1.1 and 1.2 hadn’t been activated, these also needed an extra registry key (Yep…)

So without much more jibberish, here’s the update Powershell functions/scripts to help aid you with making your IIS7.5 servers PCI compliant.

Now, that’s the ciphers and security protocols set up.

The last step to make your servers BEAST immune is to change the SSL cipher priority.

This is done by creating a GPO!

  1. At a command prompt, enter gpedit.msc. The Group Policy Object Editor appears.
  2. Expand Computer ConfigurationAdministrative TemplatesNetwork, and then click SSL Configuration Settings.
  3. Under SSL Configuration Settings, click the SSL Cipher Suite Order setting.
  4. In the SSL Cipher Suite Order pane, scroll to the bottom of the pane.
  5. Follow the instructions labeled How to modify this setting.

It is necessary to restart the computer after modifying this setting for the changes to take effect.

The list of cipher suites is limited to 1023 characters.

See http://msdn.microsoft.com/en-us/library/windows/desktop/bb870930(v=vs.85).aspx for more indepth instructions.

The one thing to note for this, is that the RC4 ciphers NEED to be at the top of this list as they are immune to the BEAST attack.

A great write up of this by Steve Dispensa can be found over here http://www.phonefactor.com/blog/slaying-beast-mitigating-the-latest-ssltls-vulnerability.php

He even includes an example string for the cipher priorities!

But that’s that.. for now. If only we could move onto TLS1.2!

Disabling SSL2.0 & Others for IIS7.5 for PCI! /w Powershell

=========================================================

Just to note, this has since been revised. You can see the changes @ http://justfen.com/post/22121613280/pci-iis7-5-beast-vulnerability-donendusted

=========================================================

So, recently been touching up some of our setups for PCI compliance, one of the things we failed on was the fact SSL2.0 and other Protocols were enabled on our IIS7.5 sites.

This had to be implemented into our Web Server deployment scripts and was done with the following;

function Set-IISSecProtocols {

$protopath = “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols”

& reg.exe add “$protopath\PCT 1.0\Server” /v Enabled /t REG_DWORD /d 00000000 /f

& reg.exe add “$protopath\SSL 2.0\Server” /v Enabled /t REG_DWORD /d 00000000 /f

& reg.exe add “$protopath\SSL 3.0\Server” /v Enabled /t REG_DWORD /d 00000001 /f

& reg.exe add “$protopath\TLS 1.0\Server” /v Enabled /t REG_DWORD /d 00000001 /f

& reg.exe add “$protopath\TLS 1.1\Server” /v Enabled /t REG_DWORD /d 00000001 /f

& reg.exe add “$protopath\TLS 1.2\Server” /v Enabled /t REG_DWORD /d 00000001 /f

}

And for the Ciphers;

function Set-IISCiphers {

$cipherpath = “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers”

& reg.exe add “$cipherpath\NULL” /v Enabled /t REG_DWORD /d 00000000 /f

& reg.exe add “$cipherpath\DES 56/56” /v Enabled /t REG_DWORD /d 00000000 /f

& reg.exe add “$cipherpath\RC2 40/128” /v Enabled /t REG_DWORD /d 00000000 /f

& reg.exe add “$cipherpath\RC2 56/128” /v Enabled /t REG_DWORD /d 00000000 /f

& reg.exe add “$cipherpath\RC2 128/128” /v Enabled /t REG_DWORD /d 00000000 /f 

& reg.exe add “$cipherpath\RC4 40/128” /v Enabled /t REG_DWORD /d 00000000 /f

& reg.exe add “$cipherpath\RC4 56/128” /v Enabled /t REG_DWORD /d 00000000 /f

& reg.exe add “$cipherpath\RC4 64/128” /v Enabled /t REG_DWORD /d 00000000 /f

& reg.exe add “$cipherpath\RC4 128/128” /v Enabled /t REG_DWORD /d 00000001 /f

& reg.exe add “$cipherpath\Triple DES 168/168” /v Enabled /t REG_DWORD /d 00000001 /f

& reg.exe add “$cipherpath\AES 128/128” /v Enabled /t REG_DWORD /d 00000001 /f 

& reg.exe add “$cipherpath\AES 256/256” /v Enabled /t REG_DWORD /d 00000001 /f

}

To have these changes you must remember to restart the machine, yes REALLY. I actually fell for the trap, so thought I’d share!

And yes, it’s a little dirty but it works!