How to Disable Weak Ciphers in Dell Security Management Server and Virtual Server (2024)

Table of Contents
Affected Products: Dell Security Management Server Windows Secure Cipher Suites suggested inclusion list Jetty Weak Cipher Suites suggested Exclusion list Dell Security Management Server Virtual Jetty Weak Cipher Suites suggested Exclusion list. FAQs

Symptoms

Affected Products:

  • Dell Security Management Server
  • Dell Data Protection | Enterprise Edition
  • Dell Security Management Server Virtual
  • Dell Data Protection | Virtual Edition

Cause

Not Applicable

Resolution

  • Dell Security Management Server
  • Dell Security Management Server Virtual

During the initial Enterprise Edition install, after we have input the SQL hostname and database name, the following errors appear:

Dell Security Management Server

eserver.ciphers=TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA
  • Save;

  • Modify the Console Web Services settings to only allow modern cipher suites at this location: \Dell\Enterprise Edition\Console Web Services\conf\eserver.properties

    Note: Starting in 9.2 the console web service is no longer present.

    • Set
eserver.ciphers=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA
  • Save

  • Modify the Device Server settings to only allow modern cipher suites at this location: \Dell\Enterprise Edition\Device Server\conf\spring-jetty.xml

  • Modify the Security Server settings to only allow modern cipher suites at this location: \Dell\Enterprise Edition\Security Server\conf\spring-jetty.xml

    • Update the list in both sections to exclude the vulnerable cipher suites. A list of suggested excluded cipher suites below.

    • Save

  • If Windows settings were changed, reboot back-end DDP|E server. If Windows settings were not changed, stop all DDP|E Windows services, and then start the services again.

  • Check for any stopped services.

  • Test new endpoint activation

  • Test a Remote Management Console thick client (if TLS1.0 is enabled in Windows).

  • Test Silverlight Console

Windows Secure Cipher Suites suggested inclusion list

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA384_P521TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA384_P384TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA384_P256TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256TLS_RSA_WITH_AES_256_GCM_SHA384TLS_RSA_WITH_AES_128_GCM_SHA256TLS_RSA_WITH_AES_256_CBC_SHA256TLS_RSA_WITH_AES_256_CBC_SHATLS_RSA_WITH_AES_128_CBC_SHA256TLS_RSA_WITH_AES_128_CBC_SHATLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256

Jetty Weak Cipher Suites suggested Exclusion list

<list><value>SSL_RSA_WITH_RC4_128_MD5</value><value>SSL_RSA_WITH_RC4_128_SHA</value><value>TLS_ECDHE_RSA_WITH_RC4_128_SHA</value><value>TLS_DHE_RSA_WITH_AES_256_CBC_SHA256</value><value>TLS_DHE_DSS_WITH_AES_256_CBC_SHA256</value><value>TLS_DHE_RSA_WITH_AES_256_CBC_SHA</value><value>TLS_DHE_DSS_WITH_AES_256_CBC_SHA</value><value>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</value><value>TLS_DHE_DSS_WITH_AES_128_CBC_SHA256</value><value>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</value><value>TLS_DHE_DSS_WITH_AES_128_CBC_SHA</value><value>SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA</value><value>SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA</value><value>TLS_ECDHE_ECDSA_WITH_RC4_128_SHA</value><value>SSL_RSA_WITH_RC4_128_SHA</value><value>TLS_ECDH_ECDSA_WITH_RC4_128_SHA</value><value>TLS_ECDH_RSA_WITH_RC4_128_SHA</value><value>SSL_RSA_WITH_RC4_128_MD5</value><value>TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA</value><value>TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA</value><value>SSL_RSA_WITH_3DES_EDE_CBC_SHA</value><value>TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA</value><value>TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA</value></list>

Dell Security Management Server Virtual

  • Modify the Compliance Reporter settings to only allow modern cipher suites at this location: /opt/dell/server/reporter/conf/eserver.properties

    • Set

eserver.ciphers=TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA
  • Save

  • Modify the Console Web Services settings to only allow modern cipher suites at this location: /opt/dell/server/console-web-services/conf/eserver.properties

    Note: Starting in 9.2 the console web service is no longer present.

    • Set
eserver.ciphers=TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA

  • Save

  • Modify the Device Server settings to only allow modern cipher suites at this location: /opt/dell/server/security-server/conf/spring-jetty.xml
    • Update the list in this section to exclude the vulnerable cipher suites. A list of suggested excluded cipher suites below.
    • Save
    • Modify the Security Server settings to only allow modern cipher suites at this location: /opt/dell/server/security-server/conf/spring-jetty.xml

      • Update the list in both sections to exclude the vulnerable cipher suites. A list of suggested excluded cipher suites below.

      • Save
      • Reboot the DDP | VE server.
      • Check for any stopped services.
      • Test new endpoint activation
      • Test a Remote Management Console thick client (if TLS1.0 is enabled in Windows).

Jetty Weak Cipher Suites suggested Exclusion list.

<list><value>SSL_RSA_WITH_RC4_128_MD5</value><value>SSL_RSA_WITH_RC4_128_SHA</value><value>TLS_ECDHE_RSA_WITH_RC4_128_SHA</value><value>TLS_DHE_RSA_WITH_AES_256_CBC_SHA256</value><value>TLS_DHE_DSS_WITH_AES_256_CBC_SHA256</value><value>TLS_DHE_RSA_WITH_AES_256_CBC_SHA</value><value>TLS_DHE_DSS_WITH_AES_256_CBC_SHA</value><value>TLS_DHE_RSA_WITH_AES_128_CBC_SHA256</value><value>TLS_DHE_DSS_WITH_AES_128_CBC_SHA256</value><value>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</value><value>TLS_DHE_DSS_WITH_AES_128_CBC_SHA</value><value>SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA</value><value>SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA</value><value>TLS_ECDHE_ECDSA_WITH_RC4_128_SHA</value><value>SSL_RSA_WITH_RC4_128_SHA</value><value>TLS_ECDH_ECDSA_WITH_RC4_128_SHA</value><value>TLS_ECDH_RSA_WITH_RC4_128_SHA</value><value>SSL_RSA_WITH_RC4_128_MD5</value><value>TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA</value><value>TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA</value><value>SSL_RSA_WITH_3DES_EDE_CBC_SHA</value><value>TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA</value><value>TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA</value></list>

To contact support, reference Dell Data Security International Support Phone Numbers.
Go to TechDirect to generate a technical support request online.
For additional insights and resources, join the Dell Security Community Forum.

How to Disable Weak Ciphers in Dell Security Management Server and Virtual Server (2024)

FAQs

How to Disable Weak Ciphers in Dell Security Management Server and Virtual Server? ›

Dell Security Management Server

Read On
How do I disable weak SSH ciphers? ›

Solution
  1. Log in to the instance using the ssh command.
  2. Switch to a root user using the sudo su - command.
  3. List the currently enabled ciphers by running the command sshd -T | grep -i 'cipher'.
  4. Copy the list and remove the unwanted ciphers. ...
  5. Make a backup of the file /etc/ssh/sshd_config by running the command:

Discover More Details
How to completely disable RC4? ›

Deactivating RC4 on IIS
  1. Open registry editor: ...
  2. Navigate to: ...
  3. Right-click on Ciphers >> New >> Key. ...
  4. Right-click on RC4 40/128 >> New >> DWORD (32-bit) Value. ...
  5. Double-click the created Enabled value and make sure that there is zero (0) in Value Data: field >> click OK.

Continue Reading
How do I fix weak cipher suites vulnerability? ›

Configure the SSL cipher order preference- Version 17.1 and above
  1. In a text editor, open the following file: ...
  2. Locate the line starting with “server.ssl.follow-client-cipher-order”
  3. Remove the proceeding # sign to uncomment the lines and edit the list as needed.
  4. Change client to server. ...
  5. Save the file.
Mar 15, 2024

See Details
How do I turn off CBC? ›

How to Remove CBC Ciphers
  1. Group Policy. Create new or edit existing GPO. ...
  2. PowerShell. The command Disable-TlsCipherSuite can be used to remove specific CBC ciphers. ...
  3. IISCRYPTO. Manually uncheck the CBC ciphers which you want to remove and click Apply.
  4. Modify registry keys (not advised)

Find Out More
How do I disable support for weak ciphers on the server? ›

You can do this using GPO or Local security policy under Computer configuration > Administrative Templates > Network > SSL Configuration Settings > SSL Cipher Suite Order. Set this policy to enable. Each cipher suite should be separated with a comma. Remove as needed based on the list below.

Tell Me More
How do you stop weak cipher usage? ›

Be sure to turn off weak ciphers using the policy “Network security: Configure encryption types allowed for Kerberos” to prevent a downgrade attack to RC4 and lower the risk of a successful compromise.

Show Me More
Is it safe to disable RC4? ›

In light of recent research into practical attacks on biases in the RC4 stream cipher, Microsoft is recommending that customers enable TLS1.

Explore More
How long does it take to break RC4? ›

NOMORE attack

Their attack against TLS can decrypt a secure HTTP cookie within 75 hours. The attack against WPA-TKIP can be completed within an hour and allows an attacker to decrypt and inject arbitrary packets.

Continue Reading
What is the alternative to RC4? ›

RC4 is also known to have several significant flaws in the way it constructs and uses keys. Therefore, most security professionals recommend using alternative symmetric algorithms. Two of the most commonly used ones are the Triple Data Encryption Standard (3DES) and the Advanced Encryption Standard (AES).

Show Me More

How to check weak ciphers enabled? ›

How to do it...
  1. Open the terminal and launch the SSLScan tool, as shown in the following screenshot:
  2. To scan your target using SSLScan, run the following command: sslscan demo.testfire.net.
  3. SSLScan will test the SSL certificate for the all the ciphers it supports. Weak ciphers will be shown in red and yellow.

Read The Full Story
What is the tool to disable cipher suites? ›

IIS Crypto — a free tool that easily allows to enable\disable SSL\TLS versions, protocols, hashes, key-exchanges, cipher suites which are configured in the Windows registry otherwise. With this tool everything can be done in a simple UI or via command prompt instead of configuring Windows registry manually.

See Details
How to remove weak ciphers from IIS? ›

Procedure
  1. Open the Registry Editor (Start > Run > regedit).
  2. In the HKEY_LOCAL_MAC HINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers directory: ...
  3. In the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes directory: ...
  4. Close the Registry Editor.

Get More Info Here
How to disable CBC mode ciphers? ›

You can disable the CBC cipher on Management port 443 by following these steps:
  1. Log in to tmsh by typing the following command: tmsh.
  2. List the currently configured SSL protocols. list /sys httpd ssl-ciphersuite. ...
  3. Verify the change was made to the running configuration. ...
  4. Save the updated running configuration to disk.
Dec 9, 2021

Continue Reading
What is the problem with CBC ciphers? ›

The problem with CBC mode is that the decryption of blocks is dependent on the previous ciphertext block, which means attackers can manipulate the decryption of a block by tampering with the previous block using the commutative property of XOR.

View More
What is the weakness of CBC mode? ›

CBC has been the most commonly used mode of operation. Its main drawbacks are that encryption is sequential (i.e., it cannot be parallelized), and that the message must be padded to a multiple of the cipher block size. One way to handle this last issue is through the method known as ciphertext stealing.

View Details
How to disable ssh weak message authentication code algorithms? ›

To remove the weak MAC algorithms, perform the following:
  1. Log into Analytics Server with root credentials.
  2. Open the /etc/ssh/sshd_config file and search for macs.
  3. Remove the weak MAC algorithms that are mentioned in the file. ...
  4. Save the file.
  5. Restart the sshd service by using the service sshd restart command.

See More
How to disable ssh ciphers in Windows? ›

Normally to disable weak ciphers on a Windows server you just run IISCrypto and disable the protocols that you don't want. Reboot the machine and they are no longer available.

Learn More
What are weak ssh ciphers? ›

Weak SSH algorithms utilize cryptographic algorithms that are vulnerable to attacks, making it easier for malicious actors to decrypt sensitive data transmitted over SSH connections. This can lead to the exposure of confidential information, including usernames, passwords, and other sensitive data.

Discover More Details
How to remediate ssh weak key exchange algorithms enabled? ›

Remediation
  1. Remediation. Edit /etc/ssh/sshd_config to include the following:
  2. KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256.
  3. Restart the SSH service with 'sudo systemctl restart sshd'.

Show Me More
Top Articles
How to Easily Format Encrypted Hard Drive without Password
Top 5 Blockchain Protocols:You Must Know | ZebPay India
Quarterjade Deepfakes
NCERT Solutions For Class 10 Maths PDF – MCQ Books
Latest Posts
The impact of blockchain technology on the future of finance
How to remove encryption password for a Drive file/folder?
Article information

Author: Gov. Deandrea McKenzie

Last Updated:

Views: 5981

Rating: 4.6 / 5 (46 voted)

Reviews: 93% of readers found this page helpful

Author information

Name: Gov. Deandrea McKenzie

Birthday: 2001-01-17

Address: Suite 769 2454 Marsha Coves, Debbieton, MS 95002

Phone: +813077629322

Job: Real-Estate Executive

Hobby: Archery, Metal detecting, Kitesurfing, Genealogy, Kitesurfing, Calligraphy, Roller skating

Introduction: My name is Gov. Deandrea McKenzie, I am a spotless, clean, glamorous, sparkling, adventurous, nice, brainy person who loves writing and wants to share my knowledge and understanding with you.