SSL Medium Strength Cipher Suites (SWEET32)

It would be great if we could include the latest "best practices" registry patch to schannel for Cipher Suites from Nartac IISCrypto

 

garlin

Moderator
Staff member
Don't use regkeys, it will be a nightmare to manage. Create your own group policy for SSL Cipher Suite Order, and only include those you think are secure. There are many, many recommended lists and I don't pretend to understand which experts are authorative. Just remember, older sites might stop working because they only support outdated protocols.

GPO's are better for editing (copy/paste), can be audited, and the Registry.pol copied (or merged) during post-setup.
 

garlin

Moderator
Staff member
Qualsys runs SSL Client Test, for checking your browser's security,
Based on my report, I needed to copy this list of weak ciphers into the GPO by using a comma-separated, single line.

Computer Configuration > Policies > Administrative Templates > Network > SSL Configuration Settings
Code:
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA

Which translated to:
Code:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002]
"Functions"="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA"

Use the weak ciphers list reported for your system, and reboot. WARNING: this will break any legacy apps using a disabled library.
 
An IIS Crypto tuning is something like 400 registry settings; its so many, that it actually breaks the MS AD DS GPO Editor when you create a new GPO with a registry.

I did this as follows:

1) Use IIS Crypto to define a CipherSuite set that meets organization requirements
2) Save the TMPL
3) Recycle/Reuse it on a reference system
4) Export the associated registries (**) to a .REG file
5) Convert the .REG to a .XML using LEE JEFFRIES (*)
6) Create a MS AD DS GPO with a "Registry" section, paste the XML and it will convert it to XML-REG-GPO hybrid format
7) (Optional) Backup the GPO archives for recycle/reuse/reference/snapshot/template
8) (Optional) Archive everything in GITHUB in case some FIPS / IEC-62443 / DISA audits


For comparison, on NetBSD/OpenBSD, one does this by:

1) Updating OpenSSL and merge the OpenSSL.cnf >:}

If anyone out there from Microsoft is listening: You need to manage this situation proactively (well, its too late, so retroactively). I haven't looked yet, but 22H1 and/or Server 2022 please make sure they include a modern cipher suite. The next ADMX kit can come with pre-configurated templates?

(*) https://www.leeejeffries.com/import-reg-files-into-microsoft-group-policy/
(**) https://www.nartac.com/Products/IISCrypto/FAQ/what-registry-keys-does-iis-crypto-modify
 

garlin

Moderator
Staff member
Your example is much more advanced in scope. This only disables weak ciphers on a local system, which is probably good for protecting normal users against SSL downgrade attacks.
 
NTLite and IIS Crypto should get together and merge the functions as a preset in NTLite; we can have a funeral a bury SSLv3, TLS v1.0, and v1.1 out behind the wood shed.
 

garlin

Moderator
Staff member
When I tested my exact GPO, PowerShell web requests stopped working -- even if TLS 1.2 protocol was specified. As mentioned before, not all apps will correctly handle restrictions. FireFox had no problems, but PS failed.
 
Top