Comments on: Require 128-bit Encryption for HTTPS Traffic with ISA Server 2006 (Part2) http://blogs.isaserver.org/pouseele/2007/03/25/require-128-bit-encryption-for-https-traffic-with-isa-server-2006-part2/ Stefaan Pouseele, an ISA Server MVP, discusses issues brought up within various ISA articles and Microsoft publications. Updates to the ISA Firewall, protocol support, discussions on the different ISA clients, ISA features, how to clean up network traffic and links to new ISA server literature are all be included within the blog. Get help on troubleshooting the ISA network firewall and learn how to create good security policies. Coverage on ISA Server 2006 also appears. Fri, 29 Aug 2008 06:48:47 +0000 http://wordpress.org/?v=MU by: Require 128-bit Encryption for HTTPS Traffic with ISA Server 2006 (Part2) - http://blogs.isaserver.org/pouseele/feed/ http://blogs.isaserver.org/pouseele/2007/03/25/require-128-bit-encryption-for-https-traffic-with-isa-server-2006-part2/#comment-12554 Wed, 24 Oct 2007 22:08:59 +0000 http://blogs.isaserver.org/pouseele/2007/03/25/require-128-bit-encryption-for-https-traffic-with-isa-server-2006-part2/#comment-12554 [...] Require 128-bit Encryption for HTTPS Traffic with ISA Server 2006 (Part2) In my blog Require 128-bit Encryption for HTTPS Traffic with ISA Server 2006 I posted a workaround for enabling Redirect all traffic from HTTP to HTTPS *and* Require 128-bit encryption for HTTPS traffic in a web publishing rule. more... Read More... [...] […] Require 128-bit Encryption for HTTPS Traffic with ISA Server 2006 (Part2) In my blog Require 128-bit Encryption for HTTPS Traffic with ISA Server 2006 I posted a workaround for enabling Redirect all traffic from HTTP to HTTPS *and* Require 128-bit encryption for HTTPS traffic in a web publishing rule. more… Read More… […]

]]> by: Stefaan Pouseele Blog » Blog Archive » Require 128-bit Encryption for HTTPS Traffic with ISA Server 2006 (Part3) http://blogs.isaserver.org/pouseele/2007/03/25/require-128-bit-encryption-for-https-traffic-with-isa-server-2006-part2/#comment-8553 Sat, 19 May 2007 12:27:12 +0000 http://blogs.isaserver.org/pouseele/2007/03/25/require-128-bit-encryption-for-https-traffic-with-isa-server-2006-part2/#comment-8553 [...] In my blog Require 128-bit Encryption for HTTPS Traffic with ISA Server 2006 (Part2) we analysed what the setting Require 128-bit encryption for HTTPS traffic really means and how it works. By default the Web Proxy component on ISA checks for every HTTPS request if the secure channel used to pass that request has a strong Cipher Suite (at least 128-bit encryption) as property. However, it does *not* prevent the setup of a secure channel with a weak Cipher Suite. [...] […] In my blog Require 128-bit Encryption for HTTPS Traffic with ISA Server 2006 (Part2) we analysed what the setting Require 128-bit encryption for HTTPS traffic really means and how it works. By default the Web Proxy component on ISA checks for every HTTPS request if the secure channel used to pass that request has a strong Cipher Suite (at least 128-bit encryption) as property. However, it does *not* prevent the setup of a secure channel with a weak Cipher Suite. […]

]]> by: Mylo http://blogs.isaserver.org/pouseele/2007/03/25/require-128-bit-encryption-for-https-traffic-with-isa-server-2006-part2/#comment-8066 Fri, 27 Apr 2007 17:34:54 +0000 http://blogs.isaserver.org/pouseele/2007/03/25/require-128-bit-encryption-for-https-traffic-with-isa-server-2006-part2/#comment-8066 Another top article. I was quite surprised though when I saw it, that the weaker ciphers have not been deprecated yet. We used to have to follow the same KB note for IIS5 servers as part of a hardening exercise for web servers back in 2002. The fact that the reg changes Jason describes still apply in 2007 (to me anyway) is a little mysterious; although i suspect export / legal controls are a factor (not to mention legacy support). Regards Mylo Another top article. I was quite surprised though when I saw it, that the weaker ciphers have not been deprecated yet. We used to have to follow the same KB note for IIS5 servers as part of a hardening exercise for web servers back in 2002. The fact that the reg changes Jason describes still apply in 2007 (to me anyway) is a little mysterious; although i suspect export / legal controls are a factor (not to mention legacy support).

Regards
Mylo

]]> by: Jason Jones http://blogs.isaserver.org/pouseele/2007/03/25/require-128-bit-encryption-for-https-traffic-with-isa-server-2006-part2/#comment-7461 Tue, 27 Mar 2007 20:41:37 +0000 http://blogs.isaserver.org/pouseele/2007/03/25/require-128-bit-encryption-for-https-traffic-with-isa-server-2006-part2/#comment-7461 Hi All, This reg file should remove all weak ciphers and only allow 128 bit or greater. I have checked this configuration with 'SSLDigger' for much better results than the default OS stance. Hope this helps those trying to work out that awful KB article!!!! Cheers JJ ------------ REGEDIT4 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128] "Enabled"=dword:ffffffff [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128] "Enabled"=dword:ffffffff [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168] "Enabled"=dword:ffffffff ----------------- Hi All,

This reg file should remove all weak ciphers and only allow 128 bit or greater.

I have checked this configuration with ‘SSLDigger’ for much better results than the default OS stance.

Hope this helps those trying to work out that awful KB article!!!!

Cheers

JJ

————
REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
“Enabled”=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]
“Enabled”=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128]
“Enabled”=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
“Enabled”=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]
“Enabled”=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
“Enabled”=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
“Enabled”=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
“Enabled”=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128]
“Enabled”=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168]
“Enabled”=dword:ffffffff
—————–

]]> by: Jason Jones http://blogs.isaserver.org/pouseele/2007/03/25/require-128-bit-encryption-for-https-traffic-with-isa-server-2006-part2/#comment-7452 Tue, 27 Mar 2007 13:37:43 +0000 http://blogs.isaserver.org/pouseele/2007/03/25/require-128-bit-encryption-for-https-traffic-with-isa-server-2006-part2/#comment-7452 Hi Stefaan, Detailed analysis, as ever! Definitely explains the results I have been seeing with several penetration tests that have involved ISA. Think I will start rolling KB245030 into our standard build for ISA, until MS sort out the global policy ;-) Jason Hi Stefaan,

Detailed analysis, as ever!

Definitely explains the results I have been seeing with several penetration tests that have involved ISA.

Think I will start rolling KB245030 into our standard build for ISA, until MS sort out the global policy ;-)

Jason

]]>