Thursday, May 24, 2012

TechNode - Secure your IIS 7.5

OK, everybody knows that some parts of every website (or almost every website) should be secured by SSL,
but some people are not aware of SSL internals as such. I'll try to write some quick tips how to harden our SSL.

First of all check your SSL secured website using this online tool. Default IIS installation with regular SSL certificate (I use StartSSL) should score around 83-85. Now we can try to add few tweaks.

1. Enable TLS 1.1 and/or TLS 1.2 on your Windows 7/ Windows Server 2008 R2 bu applying this patch - link.

2. Open command line, type gpedit.msc and go to Computer Configuration, Administrative Templates, Network, and then click SSL Configuration Setting. Under SSL Configuration Settings, double click the SSL Cipher Suite Order setting.The cipher suites TLS_RSA_WITH_RC4_128_SHA and TLS_RSA_WITH_RC4_128_MD5 must be put first on the line. You can use following list (remember to remove all new lines and white spaces):

TLS_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_RC4_128_MD5,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521,
TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256

Enable your rule and restart your Windows server. After reboot re-run online validation.
The main goal is to get rid of issues related to BEAST vulnerability (read more here).

3. Optionally you can use Nartac's IIS Crypto tool (available for free).
It allows you to configure your IIS to be PCI and FIPS compliant.

After playing around you should be able to achieve around 93 points in online scan and get rid of BEAST attack vulnerability.

Enjoy :)

1 comment:

  1. Just to let you know, I've updated IIS Crypto to add a BEAST button to mitigate the attack.

    ReplyDelete