Windows Server 2012 R2 IIS Weak Ciphers Reported After Lockdown
Well DES-CBC3-SHA
is ambiguous because it doesn't list the key exchange algorithm (pretty sure RSA is implied there,) but that's probably what Retina's complaining about. Even though it says DES (which is certainly NOT FIPS compliant,) I'm relatively certain that it's actually referring to 3DES (triple DES) because of the 168-bit key, which is 56x3. It's just a bad label all the way around.
If Retina were a better tool, it would tell you exactly what it was complaining about.
The problem with using tools like IISCrypto is that you don't know what it's really doing behind the scenes.
Also, are you sure that you're using a version of SSLScan that has been updated for TLS 1.1 and 1.2? There are versions floating around out there that stop at TLS 1.0. In that case, you might want to check with a more up to date tool like SharpTLSScan: https://www.myotherpcisacloud.com/post/sharptlsscan-v12
You should have at least some TLS 1.1 and 1.2 ciphers enabled on Server 2012 R2 by default, which is what makes me wonder that may your version of SSLScan is out of date and doesn't scan for the newer protocol versions.
In any event you really want to enable TLS 1.1 and 1.2. TLS 1.0 is approaching the end of its useful life very quickly.
Related videos on Youtube
cjm4189
Updated on September 18, 2022Comments
-
cjm4189 over 1 year
I am having issues getting a windows server 2012 R2 64-bit box locked down. I used a tool called IISCrypto to make the box FIPS 140 compliant.
I have manually checked the registry entries and all the weak ciphers look disabled but Retina Network Scanner Community still reports IIS as supporting weak ciphers (
Enabled=0
).When I run SSLScan, I get the following:
Testing SSL server 127.0.0.1 on
port 443
Supported Server Cipher(s):Failed SSLv2 168 bits DES-CBC3-MD5 Failed SSLv2 56 bits DES-CBC-MD5 Failed SSLv2 128 bits IDEA-CBC-MD5 Failed SSLv2 40 bits EXP-RC2-CBC-MD5 Failed SSLv2 128 bits RC2-CBC-MD5 Failed SSLv2 40 bits EXP-RC4-MD5 Failed SSLv2 128 bits RC4-MD5 Failed SSLv3 256 bits ADH-AES256-SHA Failed SSLv3 256 bits DHE-RSA-AES256-SHA Failed SSLv3 256 bits DHE-DSS-AES256-SHA Failed SSLv3 256 bits AES256-SHA Failed SSLv3 128 bits ADH-AES128-SHA Failed SSLv3 128 bits DHE-RSA-AES128-SHA Failed SSLv3 128 bits DHE-DSS-AES128-SHA Failed SSLv3 128 bits AES128-SHA Failed SSLv3 168 bits ADH-DES-CBC3-SHA Failed SSLv3 56 bits ADH-DES-CBC-SHA Failed SSLv3 40 bits EXP-ADH-DES-CBC-SHA Failed SSLv3 128 bits ADH-RC4-MD5 Failed SSLv3 40 bits EXP-ADH-RC4-MD5 Failed SSLv3 168 bits EDH-RSA-DES-CBC3-SHA Failed SSLv3 56 bits EDH-RSA-DES-CBC-SHA Failed SSLv3 40 bits EXP-EDH-RSA-DES-CBC-SHA Failed SSLv3 168 bits EDH-DSS-DES-CBC3-SHA Failed SSLv3 56 bits EDH-DSS-DES-CBC-SHA Failed SSLv3 40 bits EXP-EDH-DSS-DES-CBC-SHA Failed SSLv3 168 bits DES-CBC3-SHA Failed SSLv3 56 bits DES-CBC-SHA Failed SSLv3 40 bits EXP-DES-CBC-SHA Failed SSLv3 128 bits IDEA-CBC-SHA Failed SSLv3 40 bits EXP-RC2-CBC-MD5 Failed SSLv3 128 bits RC4-SHA Failed SSLv3 128 bits RC4-MD5 Failed SSLv3 40 bits EXP-RC4-MD5 Failed SSLv3 0 bits NULL-SHA Failed SSLv3 0 bits NULL-MD5 Failed TLSv1 256 bits ADH-AES256-SHA Failed TLSv1 256 bits DHE-RSA-AES256-SHA Failed TLSv1 256 bits DHE-DSS-AES256-SHA Accepted TLSv1 256 bits AES256-SHA Failed TLSv1 128 bits ADH-AES128-SHA Failed TLSv1 128 bits DHE-RSA-AES128-SHA Failed TLSv1 128 bits DHE-DSS-AES128-SHA Accepted TLSv1 128 bits AES128-SHA Failed TLSv1 168 bits ADH-DES-CBC3-SHA Failed TLSv1 56 bits ADH-DES-CBC-SHA Failed TLSv1 40 bits EXP-ADH-DES-CBC-SHA Failed TLSv1 128 bits ADH-RC4-MD5 Failed TLSv1 40 bits EXP-ADH-RC4-MD5 Failed TLSv1 168 bits EDH-RSA-DES-CBC3-SHA Failed TLSv1 56 bits EDH-RSA-DES-CBC-SHA Failed TLSv1 40 bits EXP-EDH-RSA-DES-CBC-SHA Failed TLSv1 168 bits EDH-DSS-DES-CBC3-SHA Failed TLSv1 56 bits EDH-DSS-DES-CBC-SHA Failed TLSv1 40 bits EXP-EDH-DSS-DES-CBC-SHA Accepted TLSv1 168 bits DES-CBC3-SHA Failed TLSv1 56 bits DES-CBC-SHA Failed TLSv1 40 bits EXP-DES-CBC-SHA Failed TLSv1 128 bits IDEA-CBC-SHA Failed TLSv1 40 bits EXP-RC2-CBC-MD5 Failed TLSv1 128 bits RC4-SHA Failed TLSv1 128 bits RC4-MD5 Failed TLSv1 40 bits EXP-RC4-MD5 Failed TLSv1 0 bits NULL-SHA Failed TLSv1 0 bits NULL-MD5 Prefered Server Cipher(s): TLSv1 256 bits AES256-SHA
What am I missing? Thanks
-
cjm4189 about 9 yearsThe SharepTLSSCan came up clean. You were correct about SSLScan and the 3DES cipher. The Retina scan passed after I disabled everything with 3DES but I can no longer connect with XP and IE :) Thanks