I know, boring dry topic. But useful for those that need it.

Part of securing Windows, especially IIS 6, is locking down the cryptography to the secure protocols. Generally this is a pain. Read on for things to make it a little easier!

About IIS 6 Security

IIS 6.0 should be configured to use the strongest and most secure encryption methods available. This short guide will take you through the necessary steps for helping to pass stringent security scans for SSL enabled web servers.

Enabling SSL has both positive and negative issues. Confidentiality and positive site identification are very important gains, while slightly increased resource usage, more difficult troubleshooting, and the inability to host multiple web sites on a single IP address are concerns to be addressed. However any web server that would transmit personal information or sensitive data must be protected with strong encryption.

Both PCT 1.0 and SSLv2 protocols have serious vulnerabilities. Although the server will attempt to negotiate using the strongest protocols and encryption algorithms first and only drop to SSLv2 if necessary, the attacks on these protocols can be triggered as long as the protocol is enabled. Since all modern browsers have supported SSLv3 and TLSv1 for many years, there should be no requirement for SSLv2 in most circumstances.

FIPS 140-2 provides a standard method for ensuring that the encryption algorithms chosen meet the highest security standards. Using the strongest encryption methods that are certified by the US Government helps assure confidence in your systems.

Please note that the following changes affect more than just IIS 6.0. The following changes concern the core cryptographic modules in the operating system used by all services and applications, such as IPSec. All these changes may be applied at the same time for a single reboot of the system.

Enabling FIPS 140-2 Encryption Algorithms

About the FIPS 140-2 standard:

The National Institute of Standards and Technology (NIST) issued the FIPS 140 Publication Series to coordinate the requirements and standards for cryptography modules which include both hardware and software components. Federal agencies and departments can validate that the module in use is covered by an existing FIPS 140-1 and FIPS 140-2 certificates which specifies the exact module name, hardware, software, firmware, and/or applet version numbers. The cryptographic modules are produced by the private sector or open source communities for use by the U.S. government and other regulated industries (such as financial and health-care institutions) that collect, store, transfer, share and disseminate “sensitive, but un-classified (SBU)” information.

Enabling FIPS encryption algorithms on Windows 2003 is accomplished these steps.

1. Run GPEDIT.MSC from the Start / Run menu.

2. Navigate to Local Computer Policy – Computer configuration – Windows Settings – Security Settings – Local Policy – Security Options.

3. Select the option: System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing. Enable this option.

4. Reboot the computer.

Disabling SSLv2 and PCT 1.0

SSL is not an encryption algorithm but is a method of setting up a secure connection using other encryption methods. Since the SSL options chosen apply to the OS and not specifically IIS, these choices also apply to other SSL enabled services such as POP3 and SMTP.

The SSLv2 and PCT 1.0 encryption protocol security flaws are best rectified by disabling SSLv2 and only using SSLv3 and TLSv1 protocols. All modern browsers support SSLv3 and TLSv1.

1. From the Start menu, click Run.
2. In the Open box, type Regedit.exe, and click OK.
3. Navigate to and double-click the following key in the registry:
   HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\PCT 1.0\Server
4. From the Edit menu, point to Add, click DWORD Value and then add the following registry value: Enabled
5. Data: Set this to 0×00000000.
6. Repeat for the following registry key:
   HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 2.0\Server
7. Quit Registry Editor.
8. Reboot the computer.

Enabling Kernel Mode SSL

Enabling kernel-mode Secure Sockets Layer (SSL) improves SSL performance because encryption and decryption operations take place in the faster processing space of the kernel. However, enabling kernel-mode SSL disables user-mode SSL. For more information, see Kernel-Mode SSL.

To configure SSL to run in kernel mode:

1. From the Start menu, click Run.
2. In the Open box, type Regedit.exe, and click OK.
3. Navigate to and double-click the following key in the registry:
   HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters
4. From the Edit menu, point to Add, click DWORD Value and then add the following registry value: EnableKernelSSL
5. Data: Set this to 0×00000001 to use kernel-mode SSL instead of user-mode SSL.
6. Quit Registry Editor.
7. Restart IIS.

The following restrictions apply to running SSL in kernel mode:

• Client certificates are not supported.
• RC2 ciphers are not supported.
• The Private Communications Technology (PCT) 1.0 protocol is not supported.
• Configuration changes to server certificates require a restart of the HTTP service.
• ISAPI GetServerVariable calls for certificate information do not work.
• Bulk encryption offload is not supported.
• ISAPI filters do not get READ RAW notifications regardless of the security of the connection. This restriction affects only IIS 5.0 compatibility mode, because IIS 6.0 worker process isolation mode does not support READ RAW DATA filters regardless of the setting for kernel-mode SSL.

Wrapping It Up

To deploy changes such as these in a domain environment can be challenging. The best method is group policy. But most of these changes do not exist in group policy.

Included is an ADM template file to enable these changes as well as removing particularly weak ciphers. Enabling FIPS 140-2 already exists in a GPO as shown above. The remaining changes can be deployed using this Group Policy template.

1. Download the file and rename it to security.adm.
2. Open Active Directory Users and Computers and navigate to the proper OU that you wish to apply it to.
3. Create a new or edit the existing GPO.
4. Select Computer Configuration / Administrative Templates.
5. Right click, select Add Remove Templates. Navigate to and add the downloaded ADM template.
6. Select IIS Security and Performance. No settings will appear at this point.
7. Right click and select View / Filtering.
8. Deselect “Only show policy settings that can be fully managed” and hit OK.
9. The new settings will now be visible for you to configure.
10. Typically disable all protocols and ciphers listed, and enable the SSL acceleration.

(No Ratings Yet)

 Loading ...

View Technorati blog reactions.

Related Posts