Nessus reports a vulnerability because of 64-bit cipher suites and SSL Medium Strength Cipher Suites Supported (even though it shows up as strong). Windows requires the cipher TLS_RSA_WITH_3DES_EDE_CBC_SHA being disabled.
I found that adding the cipher suite to the registry didn’t work as expected. Then I found a reference that says it’s a different key based on the version of Windows. So I added both to our registry file to handle disabling it regardless.
Registry file:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168] "Enabled"=dword:00000000
Before:
$ nmap --script +ssl-enum-ciphers -p 3389 iprintsrvr -Pn
Starting Nmap 6.47 ( http://nmap.org ) at 2017-01-20 12:28 GMT
Nmap scan report for iprintsrvr (192.168.0.181)
Host is up (0.00051s latency).
rDNS record for 192.168.0.181: iprintsrvr.domain.local
PORT STATE SERVICE
3389/tcp open ms-wbt-server
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| compressors:
| NULL
|_ least strength: strong
Nmap done: 1 IP address (1 host up) scanned in 6.30 seconds
After:
$ nmap --script +ssl-enum-ciphers -p 3389 iprintsrvr -Pn Starting Nmap 6.47 ( http://nmap.org ) at 2017-01-20 12:29 GMT Nmap scan report for iprintsrvr (192.168.0.181) Host is up (0.00028s latency). rDNS record for 192.168.0.181: iprintsrvr.domain.local PORT STATE SERVICE 3389/tcp open ms-wbt-server | ssl-enum-ciphers: | TLSv1.0: | ciphers: | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong | TLS_RSA_WITH_AES_128_CBC_SHA - strong | TLS_RSA_WITH_AES_256_CBC_SHA - strong | compressors: | NULL |_ least strength: strong Nmap done: 1 IP address (1 host up) scanned in 0.15 seconds
References
See Note For the versions of Windows that releases before Windows Vista, the key should be Triple DES 168/168.
Hi, thank you for the info, did you make this registry modification on a Windows 2012 server or other versions?
LikeLike
We do this for all Windows 2008, 2012 including R2.
LikeLike
For windows 2008 r2, when you removed 3DES, did it also break Remote Desktop connections?
LikeLike
Only from clients that don’t support higher encryption. We don’t allow any client less than Windows 7 these days.
LikeLike
That’s weird that it broke it for Win 7
I have a Windows 2012 server that I disabled 3DES on (SWEET32), but my win 7 boxes still connect fine to the server using Remote Desktop
When I did the change up on my Win 2k8 R2 box though, it does not allow connections from any server, windows 7 or windows 2012
The other weird thing is that when I do Nmap against the Win 2k8 R2 box, it does not show all of the cipher suites you have enabled.
Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2017-05-03 08:35 Eastern Daylight Time
Nmap scan report for cx-web65.webd2ms.com (10.76.65.1)
Host is up (0.00s latency).
PORT STATE SERVICE VERSION
3389/tcp open ms-wbt-server?
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) – C
| compressors:
| NULL
| cipher preference: indeterminate
| cipher preference error: Too few ciphers supported
| warnings:
| Weak certificate signature: SHA1
|_ least strength: C
MAC Address: 3C:D9:2B:F9:BC:98 (Hewlett-Packard Company)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 63.86 seconds
LikeLike
I’m not entirely certain what you have locked down there. But for a Win2k8 server this is my ssl cipher result. I did notice your scan shows a weak SHA1 signature and wondered if you can’t support the ciphers because of this?
Starting Nmap 6.47 ( http://nmap.org ) at 2017-05-04 10:55 BST
Nmap scan report for monsrvr (192.168.0.165)
Host is up (0.00061s latency).
rDNS record for 192.169.0.165: monsrvr.domain.local
PORT STATE SERVICE
3389/tcp open ms-wbt-server
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| compressors:
| NULL
|_ least strength: strong
Nmap done: 1 IP address (1 host up) scanned in 3.36 seconds
LikeLike
This is the nmap results when ran against the Windows 2012 server:
Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2017-05-03 08:38 Eastern Daylight Time
Nmap scan report for cx-web55.webd2ms.com (10.75.55.1)
Host is up (0.0010s latency).
PORT STATE SERVICE VERSION
3389/tcp open ms-wbt-server?
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (dh 521) – A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (dh 521) – A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) – A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) – A
| compressors:
| NULL
| cipher preference: server
| TLSv1.1:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (dh 521) – A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (dh 521) – A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) – A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) – A
| compressors:
| NULL
| cipher preference: server
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (dh 521) – A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (dh 521) – A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (dh 521) – A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (dh 521) – A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) – A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) – A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) – A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) – A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) – A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) – A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 128) – B
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 128) – C
| compressors:
| NULL
| cipher preference: server
| warnings:
| Key exchange parameters of lower strength than certificate key
|_ least strength: C
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 64.41 seconds
LikeLike
0 Pingbacks
Search this site
Categories
Recent Posts
Archives
Tag Cloud
active directory ajax ansible apache asterisk authentication azure backup bash Bootstrap certificates CoffeeScript debian dhcp dkim dns Docker electron electronics email esp32 esp8266 exim4 firewall ftp git gnome gulp horizon html5 iptables java jquery json juniper keycloak kodi kvm Laravel ldap manjaro mssql mysql nginx node.js nzbget oauth2 openvpn owncloud php postgis postgresql proxy python qemu radius raspberry pi ReactJS rsync Security single-sign-on smtp spf ssh ssl synology tomcat updates vmware vpn vue.js webpack wireguard xml xmpp