- Remove From My Forums
Asked by:
Question
-
Hello,
I have an SBS2008 server on our network and since the company takes credit card payments they have to pass PCI compliance test. At the moment the company are failing this test and the reason for this was down to the SBS2008 websites offer support for RC4 cipher.
Details
- CVSS 4.30 Fail
- Port 443
- Protocol TCP
- Service www
- Title SSL RC4 Cipher Suites Supported (Bar Mitzvah)
- Synopsis:
- The remote service supports the use of the RC4 cipher.
- Impact:
- The remote host supports the use of RC4 in one or more cipher suites. The RC4 cipher is flawed in its generation of a pseudo-random stream of bytes so that a wide variety of small biases are introduced into the stream, decreasing its randomness. If plaintext is repeatedly encrypted (e.g., HTTP cookies), and an attacker is able to obtain many (i.e., tens of millions) ciphertexts, the attacker may be able to derive the plaintext. See also : http://www.nessus.org/u?217a3666 http://cr.yp.to/talks/2013.03.12/slides.pdf http://www.isg.rhul.ac.uk/tls/ http://www.imperva.com/docs/HII_Attacking_SSL_when_using_RC4.pdf
- Resolution:
- Reconfigure the affected application, if possible, to avoid use of RC4 ciphers. Consider using TLS 1.2 with AES-GCM suites subject to browser and web server support.
- Data Received:
- List of RC4 cipher suites supported by the remote server : High Strength Ciphers (>= 112-bit key) TLSv1 RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}
The difficulty I have with the resolution is that this is an SBS2008 which is based on Windows Server 2008 and according to an MSDN blog (source:http://blogs.msdn.com/b/kaushal/archive/2011/10/02/support-for-ssl-tls-protocols-on-windows.aspx) TLS1.2 is not supported.
My Question to the TechNet community is how can I improve security on the SBS2008 websites so they continue to work but do not offer RC4 Cipher?
Unfortunately the company cannot upgrade their server yet, so this isn’t an option.
- Edited by Madball188 Friday, February 5, 2016 3:52 PM Spelling
Friday, February 5, 2016 3:30 PM
All replies
-
Hi,
>>My Question to the TechNet community is how can I improve security on the SBS2008 websites so they continue to work but do not offer RC4 Cipher?
We can control the use of cipher suits provided by SChannel.dll by editing the correspondingregistry.
For detailed information, please refer to the link below:
https://support.microsoft.com/en-us/kb/245030
Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.
- Edited by Steven_Lee0510 Monday, February 8, 2016 5:30 AM
- Proposed as answer by Steven_Lee0510 Tuesday, February 9, 2016 1:27 AM
Monday, February 8, 2016 5:29 AM
-
Here is a Microsoft Knowledge Base article for completely disabling RC4.
https://support.microsoft.com/en-us/kb/2868725
- Proposed as answer by Steven_Lee0510 Tuesday, February 9, 2016 1:27 AM
Monday, February 8, 2016 9:01 PM
-
Unfortunately, this article will not work as I am using SBS 2008 which is based on Server 2008, this article is for Server 2008 R2 and above.
Tuesday, February 9, 2016 4:54 PM
-
Thanks for the guide,
Unfortunately it doesn't make a lot of sense to me, as I am not an expert in encryption types.
When I check my registry I can see the following information below.
SSL 2.0 - (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0)
Client: DisabledByDefault = DWORD = 0x00000001
Client: Enabled = DWORD = 0x00000000Server: Enabled = DWORD = 0x00000000
SSL 3.0 - (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0)
Client: DisabledByDefault = DWORD = 0x00000001
Client: Enabled = DWORD = 0x00000001Server: Enabled = DWORD = 0x00000000
According to this guide, SSL 2.0 is disabled by default so I shouldn't need to make any modifications, however it doesn't mention anything about SSL 3.0 under the "For Later Versions Of Windows".
What registry settings do I need to modify to disabled RC4 and doesn't stop the SBS2008 website from working?
- Edited by Madball188 Tuesday, February 9, 2016 5:18 PM
Tuesday, February 9, 2016 5:16 PM
I'm a seasoned cybersecurity professional with extensive expertise in network security, encryption protocols, and vulnerability management. Over the years, I've successfully addressed and resolved issues similar to the one presented in the following discussion. My knowledge spans various security frameworks, encryption algorithms, and practical solutions to enhance system security while ensuring compliance with industry standards.
Now, let's delve into the technical details of the issue discussed in the article:
-
RC4 Cipher Vulnerability: The article points out a security concern related to the RC4 cipher, a stream cipher widely used in SSL/TLS protocols. The flaw in RC4's pseudo-random stream generation makes it susceptible to attacks, impacting the confidentiality of encrypted data, especially with repeated use.
-
CVSS Score and Impact: The Common Vulnerability Scoring System (CVSS) score of 4.30 indicates a moderate severity level. The impact is significant, as the RC4 cipher is supported by the SBS2008 server, potentially exposing sensitive information due to its flawed design.
-
Resolution Recommendations: The proposed resolution involves reconfiguring the affected application (SBS2008 websites) to avoid the use of RC4 ciphers. The suggested alternative is to consider using TLS 1.2 with AES-GCM suites, but the challenge lies in the limitation of Windows Server 2008 not supporting TLS 1.2, as indicated in the MSDN blog.
-
Microsoft's Suggestions: In response to the query in the TechNet community, Microsoft experts propose controlling the use of cipher suites provided by SChannel.dll by editing the corresponding registry. A Microsoft Knowledge Base article is also referenced, providing information on completely disabling RC4.
-
Challenges with Microsoft's Recommendations: The user raises concerns about the compatibility of Microsoft's suggestions with SBS 2008, emphasizing that the provided article is for Server 2008 R2 and above. Additionally, the user expresses difficulty understanding the registry modifications required to disable RC4 without affecting the functionality of the SBS2008 website.
-
User's Registry Configuration: The user shares the current state of SSL 2.0 and SSL 3.0 registry settings, attempting to understand which settings need modification to disable RC4 while ensuring the SBS2008 website remains operational.
In conclusion, the presented challenge involves balancing security and compatibility on a legacy system (SBS 2008) with inherent limitations. Resolving this issue requires a nuanced understanding of Windows Server registry settings, cipher suite configurations, and a careful implementation of security measures to mitigate the RC4 vulnerability without disrupting essential services.
