I have been looking into securing our published websites for our newer builds quite recently. Found a neat site - Qualys SSL Labs which provides a SSL testing service.
I used this site to test our published HTTPS sites and found that most of them are insecure, and some scoring very badly :(. You can test your website at https://www.ssllabs.com/ssltest/. This will grade your site from A+ to F.
Generally with the newer versions of IIS (provided with 2012 onwards are generally okay), but it still leaves a lot to be desired. Running the test on my site provided feedback that we were supporting weak ciphers which can compromise secure communications. Currently with default settings our servers were scoring B-.
To remedy this, you should disable the following weak cipher suites on your published server:
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384
To disable the weak ciphers, you will need to go into the local Group Policy editor, or create a new domain Group Policy, browse to 'Computer Configuration\Administrative Templates\Network\SSL Configuration Settings' and enable the 'SSL Cipher Suite Order'. This will populate the string with the default set of cipher suites. Copy this out to notepad and remove the weak cipher suites from the comma delimited string. This will enable the listed cipher suites in a preferred order.
There are a few references online for a preferred order. I'm personally using the list at hass.de (reference at bottom of post) to configure the cipher suite order. In the PowerShell script is the list of cipher suites, just copy this out and put it into the Group Policy.
Once you have enabled the policy and linked to the published server you will need to gpupdate and reboot the server. Once rebooted, you should be able to test your server at the Qualys SSL Labs server test page and score an A- grade.
To get A grading you will need to enable Perfect Forward Secrecy. This is where the great work done at hass.de comes into play. Use the script provided at hass.de (reference at bottom of post) and run it. This should disable the weak cipher suites and enable the secure ones. Coupled with the Group Policy this should get your published server to get an A rating on the server test.
One of the warning/errors you may receive is: Downgrade attack prevention No, TLS_FALLBACK_SCSV not supported, this cannot be currently resolved for IIS as TLS_FALLBACK_SCSV is not supported by IIS apparently, we will need to wait for this to be supported in the future.
Hope this helps in securing your servers!
-HTTPS everywhere supporter.
Reference: https://www.hass.de/content/setup-your-iis-ssl-perfect-forward-secrecy-and-tls-12
Showing posts with label Windows Server. Show all posts
Showing posts with label Windows Server. Show all posts
Saturday, 17 October 2015
Saturday, 15 August 2015
Windows OS lost it's product code/activation status
Ever had the problem where your Windows OS lost it's activation status and product code? Well I have, its happened a few times but were easily fixed by using slmgr and the -ipk switch to reinstall the KMS client key or MAK key... Except this one stubborn server...
One of our servers had lost it's activation status and dropped it's product code. We tried the usual slmgr -ipk to reinstall the product code but that didn't work. Also tried the slmgr -upk, slmgr -cpk, slmgr -ato to no success. There was a slmgr switch that looked very promising, slmgr -rilc which should reinstall all the last known good keys. rebooting the server and trying to activate afterwards still didn't work...
Out of some obscure corner in Google I managed to find something that actually worked.
DISM /Online /Cleanup-Image /RestoreHealth
This apparently fixed a component store corruption (which probably was something to do with the Software Protection service). I then ran a sfc /scannow for good measure (probably not needed). Bounced the server and all was good.
The product code was showing up and we could then use slmgr /ipk to reinstall the KMS client and get our server activated. Remember to keep your servers happy, when they aren't all sorts of weird stuff goes down!
TLDR; Use 'DISM /Online /Cleanup-Image /RestoreHealth' to fix the component store corruption which broke the activation process.
Saturday, 20 December 2014
ADFS 3.0 Errors 100, 102, 277
Problem Description
ADFS service starting but when you open the ADFS Management console you get the error:
You also get errors similar to the above while trying to execute PowerShell commands for ADFS.
You will also get ADFS errors 100, 102 and 277 in Event Viewer.
Resolution
The issue is with the ADFS service config file at:
Someone may have made a change to the switchValue parameter for server traces. This value is case sensitive. In this case, the value was set to 'off' when it should have been 'Off'. Another value is 'Verbose'. Fix the switchValue parameter and restart the ADFS service.
ADFS service starting but when you open the ADFS Management console you get the error:
ADMIN0017: An exception occurred while connection to the configuration service. The configuration service URL 'net.tcp//localhost:1500/policy' may be incorrect or the AD FS x.0 Windows Service is not running
You also get errors similar to the above while trying to execute PowerShell commands for ADFS.
You will also get ADFS errors 100, 102 and 277 in Event Viewer.
Resolution
The issue is with the ADFS service config file at:
%WINDIR%\ADFS\Microsoft.IdentityServer.ServiceHost.exe.config
Someone may have made a change to the switchValue parameter for server traces. This value is case sensitive. In this case, the value was set to 'off' when it should have been 'Off'. Another value is 'Verbose'. Fix the switchValue parameter and restart the ADFS service.
Subscribe to:
Posts (Atom)