31

As you can see on this post TeamMentor.net vulnerable to BEAST and SSL 2.0, now what? the app I'm currently development got flagged for SSL 2.0 and BEAST by SSL Labs.

I'm using IIS 7.0 with the latest patches, and can't seem to find the answers to these questions:

  • What is the risk impact of this vulnerability on a site like http://teammentor.net?
  • What are the exploit scenarios?
  • Is there any mitigation (or not) by the use of IIS 7.0?
  • How do I fix this in IIS 7.0?
  • Can anything been done at the Application Layer?

For reference here are a couple other security.stackexchange.com questions on this topic:

Dinis Cruz
  • 629
  • 1
  • 6
  • 15

5 Answers5

29

In IIS 7 (and 7.5), there are two things to do:

  1. Navigate to: Start > 'gpedit.msc' > Computer Configuration > Admin Templates > Network > SSL Configuration Settings > SSL Cipher Suite Order (in right pane, double click to open). There, copy and paste the following (entries are separated by a single comma, make sure there's no line wrapping):

    TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256

  2. Run the following PowerShell commands as administrator (copy-paste into Notepad, save as 'fix-beast-in-iis.ps1' and run with elevated privileges):

    #make TSL 1.2 protocol reg keys
    md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2"
    md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server"
    md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client"
    
    # Enable TLS 1.2 for client and server SCHANNEL communications
    new-itemproperty -path     "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" -name "Enabled" -value 1 -PropertyType "DWord"
    new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" -name "DisabledByDefault" -value 0 -PropertyType "DWord"
    new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -name "Enabled" -value 1 -PropertyType "DWord"
    new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -name "DisabledByDefault" -value 0 -PropertyType "DWord"
    
    # Make and Enable TLS 1.1 for client and server SCHANNEL communications
    md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1"
    md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server"
    md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" 
    new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" -name "Enabled" -value 1 -PropertyType "DWord"
    new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" -name "DisabledByDefault" -value 0 -PropertyType "DWord"
    new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" -name "Enabled" -value 1 -PropertyType "DWord"
    new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" -name "DisabledByDefault" -value 0 -PropertyType "DWord"
    
    # Disable SSL 2.0 (PCI Compliance)
    md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server"
    new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" -name Enabled -value 0 -PropertyType "DWord"
    

Once you've run the script, you can run 'regedit' and make sure the keys in the script were actually created correctly. Then reboot for the change to take effect.

WARNING: Notice I didn't turn off SSL 3.0- the reason for this is due to the fact that, like it or not, there are still people out there using Windows XP with IE 6/7. Without SSL 3.0 enabled, there would be no protocol for those people to fall back on. While you may still not get a perfect on a Qualys SSL Labs scan, the majority of holes should be closed by following the previous steps. If you want absolute PCI compliance, you can copy the lines from the Disable SSL 2.0 section of the Powershell script, paste them at the end of the script and change them to the following:

# Disable SSL 3.0 (PCI Compliance)
md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server"
new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" -name Enabled -value 0 -PropertyType "DWord"

Then, when you run the script, you disable SSL 2.0, SSL 3.0 and enable TLS 1.1 and 1.2.

Josh
  • 456
  • 4
  • 4
19

I just posted an update to IIS Crypto which is a free tool that sets the schannel registry keys and puts RC4 at the top of the SSL cipher suite order with a single click. This mitigates the BEAST attack on Windows Server 2008 and 2012.

Jeff
  • 349
  • 2
  • 2
2

As far as the actual risks, it seems hard to say. Whilst tools like SSL Labs reports this as high priority, I am not aware of any real attacks exploiting this in the wild, and from my (very limited) understanding of how the attack works, it's rather complicated to execute and there are plenty of pre-requisites to make it a real threat. You already linked to plenty of resources, so no point repeating what's already covered.

As for configuring IIS 7 to use RC4, perhaps this pdf can help?

Yoav Aner
  • 5,329
  • 3
  • 25
  • 37
1

disabling everything "RC4" with IIS Crypto allowed to pass PCI compliance test on Server 2008 / IIS 7.0

0

The following registry file will disable SSLv2 & SSLv3 on most windows implementations.

Create a .reg file with the following details and run.

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000

The easiest way for you to verify is using either SSL labs again or testing using OpenSSL. It is worth nothing that some versions of OpenSSL don't support SSL Version 2.

OpenSSL 0.9.8t does support it and is the version I use for testing.

openssl s_client -connect subdomain.domain.tld:443 -ssl2

This is my go to command to check for chain block ciphers using openssl. The idea is that it we should not get a connection with any of these.

openssl s_client -connect subdomain.domain.tld:443 -tls1 -cipher SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:PSK-AES256-CBC-SHA:SRP-DSS-AES-128-CBC-SHA:RP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:IDEA-CBC-SHA:PSK-AES128-CBC-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:SRP-3DES-EDE-CBC-SHA:PSK-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DH-RSA-DES-CBC-SHA:DH-DSS-DES-CBC-SHA:DES-CBC-SHA