Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Identify and disable weak cipher suites Windows server 2008 / IIS 7

i'm asking a question on a subject that is pure chinese to me..sorry in advance

A security scan result prior to the deployment of a web application on windows server 2008 R2 has raised the below message :

Weak SSL Cipher Suites are Supported

Reconfigure the server to avoid the use of weak cipher suites. The configuration changes are server-specific.

SSLCipherSuite HIGH:MEDIUM:!MD5!EXP:!NULL:!LOW:!ADH

For Microsoft Windows Vista, Microsoft Windows 7, and Microsoft Windows Server 2008, remove the cipher suites that were identified as weak from the Supported Cipher Suite list by following these instructions:

http://msdn.microsoft.com/en-us/library/windows/desktop/bb870930(v=vs.85).aspx

I've tried undertsanding the msdn information but i'm totally lost in there.

first of all I do not undertsand which is the cipher suite that should be removed or disabled.

and then, how am I suppose to run the code given as example to remove a cipher suite?

#include <stdio.h>
#include <windows.h>
#include <bcrypt.h>

void main()
{

SECURITY_STATUS Status = ERROR_SUCCESS;
  LPWSTR wszCipher = (L"TLS_RSA_WITH_RC4_128_SHA");

Status = BCryptRemoveContextFunction(
            CRYPT_LOCAL,
            L"SSL",
            NCRYPT_SCHANNEL_INTERFACE,
            wszCipher);
}

again sorry for total lack of knowledge here!

like image 940
DonQi Avatar asked Jan 09 '14 14:01

DonQi


1 Answers

The solution was given to me on Security.StackExchange :

Using "IIS CRYPTO" on the server allowed me to visualize the cipher suites and very easily remove the weak ones.

like image 199
DonQi Avatar answered Oct 19 '22 22:10

DonQi