Cryptzone Support

 
If you wish to submit a support ticket please sign in to your customer portal or use the “submit a ticket” button at the top menu.
If you need to find documentation about our Sheriff Suite please login to the Hive- Click Here

 

Article

How_can_I_disable_weak_ciphers_on_the_SEP-Server_to_improve_security

« Go Back

Information

 
Article Number000001101
Article

Cryptzone are using a custom HTTP server, developed in pure .NET.
We are always using standard security classes shipped with .NET framework v2.
Cryptzone is from a SSL / HTTPS perspective as secure as the latest Microsoft .NET framework v2.

SEP Server has been studied & analyzed by third party penetration testers, which did not find any security issues.

As we mentioned, our web server is based on .NET, so we rely entirely on the window API's & settings. For example, by default windows server settings, this is the result of Cryptzone public SEPserver :

Overall rating: C with 57 points

  User-added image

But when we tweak the secure channel provider settings from registry, and restart the windows server we get a:

Overall rating: A with 84 points

  User-added image

As you see by editing windows registry, all vulnerabilities are fixed.
Please note that this fix will effect all programs that are using windows API: s for secure communication. (all winAPI & .NET programs)

These are the settings I modified:

Disable Weak ciphers:

1. Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers

2. Here you’ll get a list of available chippers. Click on each cipher that you want to disable (you should disable anything with 40/* and 56/* on name) and create a DWORD, “Enabled” = 0

Disable Renegotiation:

1. Microsoft released an update to disable this feature, as a work around. Install the Microsoft update KB977377 depending on your windows version. For example:
a. Server 2003 http://www.microsoft.com/en-us/download/details.aspx?id=10291
b. Server 2008 R2 x64 "http://www.microsoft.com/en-us/download/details.aspx?id=24360

2. FYI: The update will create two registry DWORD on HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\ and fix the vulnerability by default (by disabling that feature)
a. DisableRenegoOnClient = 1
b. DisableRenegoOnServer = 1

RESTART WINDOWS after changing these settings.

 

Related File 
Additional Files 

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255