Windows Server SSL ciphers suite order

Hi,

We getting this error when scanning our site:



I like to set the SSL cipher suites via GPO. Under Computer, Admin Templates, Network, SSL Configuration Settings, SSL Cipher Suite Order, put in this entry. There are no spaces, and there are commas between every entry.

Apply the GPO and reboot the server. Your scan should come up better. Hopefully you have already disabled SSL 2, disabled SSL 3, and enabled TLS 1.1 and TLS 1.2.



I like to set the SSL cipher suites via GPO. Under Computer, Admin Templates, Network, SSL Configuration Settings, SSL Cipher Suite Order, put in this entry. There are no spaces, and there are commas between every entry.

Apply the GPO and reboot the server. Your scan should come up better. Hopefully you have already disabled SSL 2, disabled SSL 3, and enabled TLS 1.1 and TLS 1.2.



you may want to check out iiscrypto tool that ease the reordering of SSL/TLS cipher suites correctly.
https://www.nartac.com/Products/IISCrypto/

in fact the recent microsoft MS15-031 will have close this as well as the most recent vulnerability on weak export cipher, it also stated patched GPO reorder stateA server needs to support RSA key exchange EXPORT ciphers for an attack to be successful; the ciphers are disabled in default configurations of Windows Vista/Server 2008 and later operating systems.
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
https://technet.microsoft.com/en-us/library/security/ms15-031.aspx







Share this

Related Posts

There was an error in this gadget