IIS: Disabling SSLv2 and Weak Ciphers
The big items that show up most commonly for me on our quarterly PCI Compliance scans of IIS sites is the ever-present HTTP TRACE/TRACK vulnerability and SSL related items. Breaking the SSL ones down further, the most common items that show up are SSLv2 being enabled and Null and Weak encryption ciphers are allowed. This post will provide you with the registry changes necessary to disable these items directly on your IIS servers. I do not know yet if they work on IIS7 but they work fine on IIS4 through IIS6. If you are also looking for information on dealing with TRACE and TRACK, this article might be useful.
A few quarters back when we started taking this PCI stuff seriously, I was a bit surprised to see that the links for remediation provided to us from our scanning vendor resulted in Not Found responses on Microsoft's KB. So, after doing some googling and before-and-after experimentation using Foundstone's SSLDigger, I've come up with the following .reg file that you can import into your registry--or you can just enter them in manually. TRY IT OUT ON SOME TEST MACHINES OR VIRTUAL MACHINES YOU DON'T CARE ABOUT A FEW TIMES FIRST before you tackle your production boxes. Also, don't forget the usual warnings about how modifying the registry can be hazardous, dangerous, heretical, etc. and don't forget to have backups of everything. I did however merge the following onto my test and production systems with favorable results.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server] "Enabled"=dword:00000000When merged into the Windows registry, this will disable PCT 1.0 and SSLv2. It will also disable NULL and Weak Ciphers. It is also much less expensive than buying the 128 bit-only and higher certificates from your certificate provider, which should make our friends in Accounting and Purchasing like us for a day or so.
Update: Nartac Software publishes a Windows tool named IIS Crypto that allows you to perform all of these changes and more without the need to import registry entries yourself. The tool is free as well, which is a big bonus.