{"id":10975,"date":"2017-05-25T18:16:00","date_gmt":"2017-05-25T18:16:00","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/premier_developer\/?p=10975"},"modified":"2019-03-05T14:32:30","modified_gmt":"2019-03-05T21:32:30","slug":"hardening-your-web-servers-ssl-tls-ciphers","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/premier-developer\/hardening-your-web-servers-ssl-tls-ciphers\/","title":{"rendered":"Hardening your web server\u2019s SSL \/TLS ciphers"},"content":{"rendered":"<p>In this post, Senior Application Development Manager, <a href=\"https:\/\/www.linkedin.com\/in\/anand-shukla-45b7081\/\">Anand Shukla<\/a> shares some tips to harden your web server\u2019s SSL\/TLS ciphers.<\/p>\n<hr \/>\n<p>I recently worked with a customer who had security requirements to disable the weak RC 4 ciphers from their Windows 2008 and Windows 2003 servers.\u00a0 The process is little different for Windows 2008 R2 servers and Windows 2003 servers, and there are multiple articles on internet on how to disable the RC 4 ciphers.<\/p>\n<p>Below is a quick summary.<\/p>\n<ul>\n<li>Windows 2008\u00a0 R2 &#8211; Check if security update 2868725 is installed, which allows disabling of RC4. If you have this update, you should have the registry setting which allows disabling of the RC4 and you can go ahead and apply the registry changes as mentioned in the article. If not, first apply the update and then change the registry settings.\n<ul>\n<li><a href=\"https:\/\/support.microsoft.com\/en-us\/help\/2868725\/microsoft-security-advisory-update-for-disabling-rc4\">https:\/\/support.microsoft.com\/en-us\/help\/2868725\/microsoft-security-advisory-update-for-disabling-rc4<\/a><\/li>\n<li><a href=\"https:\/\/technet.microsoft.com\/en-us\/library\/security\/2868725.aspx\">https:\/\/technet.microsoft.com\/en-us\/library\/security\/2868725.aspx<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Windows 2003 SP2 \u2013 You need to make sure that the support for strong ciphers are added and then disable the weak ciphers.\n<ul>\n<li><a href=\"https:\/\/support.microsoft.com\/en-us\/help\/3050509\/improving-cipher-security-in-windows-server-2003-sp2\">https:\/\/support.microsoft.com\/en-us\/help\/3050509\/improving-cipher-security-in-windows-server-2003-sp2<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>One of the main challenges was testing for weak ciphers to make sure it is remediated.\u00a0 We could use SSL Labs for external facing application; but this was not feasible for internal applications. Nmap worked beautifully for this need.<\/p>\n<p>Here is the screenshot from <a href=\"https:\/\/ssllabs.com\">https:\/\/ssllabs.com<\/a> for testing SSL protocols and Cipher information for <a href=\"http:\/\/www.bing.com\">www.bing.com<\/a><\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/31\/2019\/04\/clip_image00233.jpg\"><img decoding=\"async\" style=\"padding-top: 0px; padding-left: 0px; padding-right: 0px; border: 0px;\" title=\"clip_image002\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/31\/2019\/04\/clip_image002_thumb24.jpg\" alt=\"clip_image002\" width=\"1028\" height=\"682\" border=\"0\" \/><\/a><\/p>\n<p>You can download the nmap from <a href=\"https:\/\/nmap.org\/download.html\">https:\/\/nmap.org\/download.html<\/a> and run the following commands to check for ciphers. The first command finds out all the ports for SSL, and second one lists down the Ciphers available.<\/p>\n<p>nmap -sV &#8211;reason -PN -n &#8211;top-ports 100 <a href=\"http:\/\/www.bing.com\">www.bing.com<\/a><\/p>\n<p>nmap &#8211;script ssl-cert,ssl-enum-ciphers -p 443 <a href=\"http:\/\/www.bing.com\">www.bing.com<\/a><\/p>\n<p>See the article for more details &#8211; <a href=\"https:\/\/www.owasp.org\/index.php\/Testing_for_Weak_SSL\/TLS_Ciphers,_Insufficient_Transport_Layer_Protection_(OTG-CRYPST-001)\">https:\/\/www.owasp.org\/index.php\/Testing_for_Weak_SSL\/TLS_Ciphers,_Insufficient_Transport_Layer_Protection_(OTG-CRYPST-001)<\/a><\/p>\n<p><img decoding=\"async\" class=\"alignnone size-full wp-image-35770\" src=\"http:\/\/devblogs.microsoft.com\/premier-developer\/wp-content\/uploads\/sites\/31\/2017\/05\/cipher1.jpg\" alt=\"\" width=\"1028\" height=\"326\" srcset=\"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-content\/uploads\/sites\/31\/2017\/05\/cipher1.jpg 1028w, https:\/\/devblogs.microsoft.com\/premier-developer\/wp-content\/uploads\/sites\/31\/2017\/05\/cipher1-300x95.jpg 300w, https:\/\/devblogs.microsoft.com\/premier-developer\/wp-content\/uploads\/sites\/31\/2017\/05\/cipher1-768x244.jpg 768w, https:\/\/devblogs.microsoft.com\/premier-developer\/wp-content\/uploads\/sites\/31\/2017\/05\/cipher1-1024x325.jpg 1024w\" sizes=\"(max-width: 1028px) 100vw, 1028px\" \/><\/p>\n<p><u><span style=\"background-color: #bfe6ff; color: #000114;\"><img decoding=\"async\" class=\"alignnone size-full wp-image-35771\" src=\"http:\/\/devblogs.microsoft.com\/premier-developer\/wp-content\/uploads\/sites\/31\/2017\/05\/cipher2.jpg\" alt=\"\" width=\"807\" height=\"772\" srcset=\"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-content\/uploads\/sites\/31\/2017\/05\/cipher2.jpg 807w, https:\/\/devblogs.microsoft.com\/premier-developer\/wp-content\/uploads\/sites\/31\/2017\/05\/cipher2-300x287.jpg 300w, https:\/\/devblogs.microsoft.com\/premier-developer\/wp-content\/uploads\/sites\/31\/2017\/05\/cipher2-768x735.jpg 768w\" sizes=\"(max-width: 807px) 100vw, 807px\" \/><\/span><\/u><\/p>\n<p>This approach helped us remediate the weak ciphers from servers and make sure they were removed.<\/p>\n<hr \/>\n<p><a href=\"https:\/\/blogs.msdn.com\/b\/premier_developer\/archive\/2014\/09\/15\/welcome.aspx\"><strong>Premier Support for Developers<\/strong><\/a> provides strategic technology guidance, critical support coverage, and a range of essential services to help teams optimize development lifecycles and improve software quality.\u00a0 Contact your Application Development Manager (ADM) or <a href=\"https:\/\/blogs.msdn.microsoft.com\/premier_developer\/contact-us\/\">email us<\/a><b><\/b> to learn more about what we can do for you.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this post, Senior Application Development Manager, Anand Shukla shares some tips to harden your web server\u2019s SSL\/TLS ciphers. I recently worked with a customer who had security requirements to disable the weak RC 4 ciphers from their Windows 2008 and Windows 2003 servers.\u00a0 The process is little different for Windows 2008 R2 servers and [&hellip;]<\/p>\n","protected":false},"author":582,"featured_media":37840,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[96],"tags":[58,3],"class_list":["post-10975","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","tag-security","tag-team"],"acf":[],"blog_post_summary":"<p>In this post, Senior Application Development Manager, Anand Shukla shares some tips to harden your web server\u2019s SSL\/TLS ciphers. I recently worked with a customer who had security requirements to disable the weak RC 4 ciphers from their Windows 2008 and Windows 2003 servers.\u00a0 The process is little different for Windows 2008 R2 servers and [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/posts\/10975","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/users\/582"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/comments?post=10975"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/posts\/10975\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/media\/37840"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/media?parent=10975"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/categories?post=10975"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/premier-developer\/wp-json\/wp\/v2\/tags?post=10975"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}