There’s a great tool from Qualys SSL Labs that will test your server’s configuration for the HTTPS protocol. Somewhat-unfortunately, servers default configuration tends to favor compatibility over security. If you want to get your grade up to an A- or better you will have to make some configuration changes. Here’s what I did while using Windows Server 2008 R2 and IIS.
By default, two now-considered bad things are enabled by default in Windows Server 200, 2008 R2, and the latest version of Windows Server (Windows Server Technical Preview 2), which is SSLv3 and the RC4 cipher.
How to disable SSLv3
Disabling SSLv3 is a simple registry change. As far as I’m aware, the only risk in disabling it is preventing Windows XP/IE6 users from accessing your server. If you still have to support these users, I’m sorry.
Digicert provides a dead-simple registry script to disable SSLv3. Here it is:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client] "DisabledByDefault"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server] "Enabled"=dword:00000000
Awesome. That will bring your grade up, but we’re not done. RC4 has been deprecated.
How to disable RC4 ciphers
This is another simple registry change.
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128] "Enabled"=dword:00000000
The above registry keys were recommended by these sources:
- http://blogs.technet.com/b/srd/archive/2013/11/12/security-advisory-2868725-recommendation-to-disable-rc4.aspx
- https://support.microsoft.com/en-us/kb/245030
- http://windowsitpro.com/windows/disabling-rc4-cipher
To run all of these at once, I’ve provided a zipped .reg file that includes these changes.
Download DisableSSLv3AndRC4.reg.zip
Isn’t it sketchy to download .reg files and run them?
Yup, totally. Luckily .reg files are just text: go ahead and look at the file in a text editor or manually insert the keys above using the registry editor.
Performing the actions above will greatly increase your grade, but still won’t get you a perfect score. The last step is enabling forward secrecy. Hopefully I’ll cover that in a future post!