If you have services with your externally facing, and when you run a security assessment on them they are stuck on a "grade B" and show insecure on testing, then this guide will help you fix it.....
Due to the old ciphers and the RC4 support we are capped at B, also we allow TLS1.0 and TLS1.1 as you can see below
This is the protocols shown here, as you can see, you should not allow SSL2 and SSL3 and in this example we do allow TLS 1.0 and TLS 1.1 which is not good at all especially with RC4 enabled.
If we look at the TLS1.2 ciphers then you will notice they all get "weak" but its the insecure ones we want to fix, the ones at the bottom in red, that are using RC4 hashes, these are dangerous and should be disabled.
Before gleefully disabling protocols and ciphers, you need to know the OS version and what it can negotiate, for this example lets use Server 2016, ignore the ECDHE ones unless you are using this cryptography in your certificates, however in this example we are using RSA cryptography, so the ones in bold are the only ciphers we should allow.....TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384Therefore to be more secure this is the plan:
- Ensure servers are fully patched
- Disable TLS 1.0
- Disable TLS 1.1
- Require the DHE key to be 2048 bits
- Enable TLS 1.2 for .Net
- Disable Weaker cipher suites
Lets begin......but ensure you have assessed the impact before you complete these actions
I will cover two options here, the GUI version and the CLI version, you can choose which one you would like to follow:
GUI Updating
GUI Updating
⚠️ Warning : This application does NOT cover the enablement of TLS 1.2 for .NET this is required for certain services to work, you will still need to enable this manually.
If you wish to update with the GUI then you need to get some software called IISCrypto which you can do from this website here
Once you have this software, there is no installer, you just need to run the executable, unfortunatley they do not publish Hash values for the files to check validity of the file, cannot do a lot about that, moving on...
The colours for this software are as follows:
Grey - Not amended and default for the operating system
The colours for this software are as follows:
Grey - Not amended and default for the operating system
Black with a tick - You have enabled the feature outside the operating system defaults
Black with no tick - You have disabled the feature outside the operating system defaults
SCHANNEL
This controls the schannel protocol in Windows and will show you the current settings, so here you can see everything is enabled:
Lets update this to be far more secure as per the contents above, just untick the ones you do not need as below:
Cipher Suites
So lets get that updated, by removing all the ciphers we no longer require like this:
Advanced Settings
The last section is the DHE minimum key length which is not set, so we will need to set this to get this compliant:
After the update we require it looks like this:
Once you have completed these three sections click the apply button and reboot the server.
Template Apply
CLI Updating
This controls the schannel protocol in Windows and will show you the current settings, so here you can see everything is enabled:
Lets update this to be far more secure as per the contents above, just untick the ones you do not need as below:
Cipher Suites
Cipher suites is next, here you can see they are all enabled, including the awfula nd insecure ones:
So lets get that updated, by removing all the ciphers we no longer require like this:
Advanced Settings
The last section is the DHE minimum key length which is not set, so we will need to set this to get this compliant:
After the update we require it looks like this:
Once you have completed these three sections click the apply button and reboot the server.
Template Apply
⚠️ Warning : if you apply best practices, remember that still keep Support for TLS 1.0 and TLS 1.1 - you will need to manually deselect these under Server and Client protocols
You will also notice there is a template option as you can see here, as I have create a template for this, for this use the templates button on the right, then choose "Best Practices"
Once loaded you can check the other tabs to make sure all is well, then you can click the Apply button and reboot your server:
You will also notice there is a template option as you can see here, as I have create a template for this, for this use the templates button on the right, then choose "Best Practices"
Once loaded you can check the other tabs to make sure all is well, then you can click the Apply button and reboot your server:
CLI Updating
This will require a command prompt as an administrator, if you do not have an administrative command prompt you will get access denied, unless you have disable UAC which is not a good idea.
Enable TLS 1.2/Disable RC4 for .Net
For 32-bit applications on 32-bit systems
reg add "HKLM\SOFTWARE\Microsoft.NETFramework\v4.0.30319" /v SchUseStrongCrypto /t Reg_dword /d 00000001
For 32-bit applications on x64-based systems:
reg add "HKLM\Software\Wow6432Node\Microsoft.NETFramework\v4.0.30319" /v "SchUseStrongCrypto” /t reg_dword /d 00000001
Increase the DHE key size to 2048
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman" /v “ServerMinKeyBitLength” /t reg_dword /d 00000800
Disable old protocols
reg add “HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0” /f
reg add “HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client” /f
reg add “HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server” /f
reg add “HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client” /v Enabled /t REG_DWORD /d 00000000
reg add “HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server” /v Enabled /t REG_DWORD /d 00000000
reg add “HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0” /f
reg add “HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client” /f
reg add “HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server” /f
reg add “HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client” /v Enabled /t REG_DWORD /d 00000000
reg add “HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server” /v Enabled /t REG_DWORD /d 00000000
reg add “HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128” /f
reg add “HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128” /v Enabled /t REG_DWORD /d 00000000
reg add “HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128” /f
reg add “HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128” /v Enabled /t REG_DWORD /d 00000000
reg add “HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128” /f
reg add “HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128” /v Enabled /t REG_DWORD /d 00000000
Disable TLS 1.0
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" /v “Enabled” /t REG_DWORD /d 00000000
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" /v “DisabledByDefault” /r REG_DWORD /d 00000001
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" /v “Enabled” /t REG_DWORD /d 00000000
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" /v “DisabledByDefault” /t REG_DWORD /d 00000001
Disable TLS1.1
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /v “Enabled” /t REG_DWORD /d 00000000
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /v “DisabledByDefault” /r REG_DWORD /d 00000001
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" /v “Enabled” /t REG_DWORD /d 00000000
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" /v “DisabledByDefault” /t REG_DWORD /d 00000001
Check the Cipher Suites
Note : Ensure you reboot the server before running these commands, the updates get applied on a reboot
Get-TlsCipherSuite | Format-Table Name
This will give you a list like this, which shows what windows can use as below
But if you see something like this:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_AES_256_GCM_SHA384
TLS_AES_128_GCM_SHA256
Then you have no done something correct, so to disable individual ciphers run this:
Disable-TlsCipherSuite -Name "TLS_AES_256_GCM_SHA384"
Disable-TlsCipherSuite -Name "TLS_AES_128_GCM_SHA256"
Then it should no longer be in the list, then when you run the test again you should see an A grade or above not a B grade, like this:
Fixing the broken ADFS trust
Fixing "The underlying connection was closed: An unexpected error occurred on a receive" on trust re-join
If when you re-create the trust you get this error:
Then when the trust fails you get this:
When the server is restarted and the services start you will now see this which is a sign all is working well:
The federation server proxy successfully retrieved its configuration from the Federation Service 'adfs.grizzlybear.me'.
Then you have no done something correct, so to disable individual ciphers run this:
Disable-TlsCipherSuite -Name "TLS_AES_256_GCM_SHA384"
Disable-TlsCipherSuite -Name "TLS_AES_128_GCM_SHA256"
Then it should no longer be in the list, then when you run the test again you should see an A grade or above not a B grade, like this:
ADFS Caution
If you are following this on ADFS, then when you disable TLS 1.0 with ADFS 3.0 this will breaks connection between the WAP servers and the ADFS servers, upon reboot you will notice this error in the relevant event log:
Exception details:
System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a receive. ---> System.ComponentModel.Win32Exception: The client and server cannot communicate, because they do not possess a common algorithm
Change this registry key as directed here:
HKLM\Software\Microsoft\ADFS\ProxyConfigurationStatus –> 1
HKLM\Software\Microsoft\ADFS\ProxyConfigurationStatus –> 1
This is usually a "2" if configured, and "1" tells the service it is not configured.
Then open Server Manager and launch “Remote Access Manager”, select “Web Application Proxy” and put in the required information to re-establish the trust, however, if when you try to reestablish the trust, you get an error as below in the next section, you need to fix that first before you can reestablish the trust.Fixing "The underlying connection was closed: An unexpected error occurred on a receive" on trust re-join
If when you re-create the trust you get this error:
The federation server proxy could not establish a trust with the Federation Service.
Additional Data
Exception details:
The underlying connection was closed: An unexpected error occurred on a receive.
Then when the trust fails you get this:
The federation server proxy could not renew its trust with the Federation Service.
Additional Data
Exception details:
The remote server returned an error: (400) Bad Request.
This means you did not enable TLS 1.2 which is supported on .NET 4.6 and above, so to fix that follow this:
To determine the version of .NET installed on your system:
To determine the version of .NET installed on your system:
- Open the registry using regedit.exe.
- Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319
Note: The last number might be slightly different. - Under that key, search for key SKUs and look under it for .NETFramework,Version=v4.6.
- If the key is not present, .NET 4.6 is not present on the system.
- If the key is not there, go an get the installer from here
Then you need to set TLS 1.2, edit the registry as follows:
- Open the registry using regedit.exe.
- Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319.
Note: The last number might be slightly different. - Add SchUseStrongCrypto registry DWORD under .NET 4.0 registry option, as shown below (in image)
- Restart the ADFS WAP server
When the server is restarted and the services start you will now see this which is a sign all is working well:
The federation server proxy successfully retrieved its configuration from the Federation Service 'adfs.grizzlybear.me'.