Friday, October 24, 2014

Improve security on a Windows Server

HOW TO - Enable or disable protocols, ciphers, hashes and key exchange algorithms on Windows Server 2003, 2008 and 2012.
q: What is the easiest way to review the security of our server and disable older, less secure technologies?

a: Here are a few steps:

  1. We recommend SSL Labs to run an audit of your public facing server and see what vulnerabilities exist. https://www.ssllabs.com/ssltest (Note: You'll probably want to mark the checkbox to keep the results private.)
  2. Historically we purchased Foundeo to disable weak ciphers. https://foundeo.com/products/iis-weak-ssl-ciphers/ That product was fine for our 2003 servers 3 years ago but it seems dated for 2014 vulnerabilities.
  3. Now we recommend Nartac's IIS Crypto utility.  https://www.nartac.com/Products/IISCrypto/Default.aspx This tool does a great job at showing you various Protocols & Ciphers.  It has quick click buttons to let you quickly secure your server to various levels.
  4. Our only warning is to be careful if you still have Windows XP machines in the mix.  Their best security is still lower than the lowest security of a FIPS 2012 Windows Server. In English, a FIPS 140-2 secure server won't have anyway to talk with a Windows XP machine using Internet Explorer for example.