Thursday, July 16, 2009

PCI compliance on IIS

I will be posting more technical stuff. It probably won't be very interesting for anyone else but it will help my co-workers and myself when I cannot remember what I did to fix problem X.

We had a problem passing PCI compliance due to "weak ciphers" I found information @ http://blog.zenone.org/2009/03/pci-compliance-disable-sslv2-and-weak.html
How to configure Microsoft IIS to not accept SSLv2 connections:
You will need
to modify the system’s registry.
Merge the following keys to the Windows
registry:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT
1.0\Server]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL
2.0\Server]
"Enabled"=dword:00000000

When I checked, ours was already disabled, but I figured that it should be included here in case it is not on the next server I have to do this on.

We did, however need to disable the weak ciphers with this:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128]
"Enabled"=dword:0000000

Then to test, I had to install OpenSSL. But OpenSSL requires Microsoft Visual C++ 2008 Redistributable Package. Here is the 64bit version I used.

Then installed the OpenSSL found here. I just used the 64bit light version

Once they are all installed on my workstation, I opened a command prompt and entered
openssl s_client -no_tls1 -no_ssl3 -connect domain.to.test.com:443

If it doesn't give you a failure message, it will accept weak ciphers. You want an error similar to:
6176:error:140790E5:SSL routines:SSL23_WRITE:Ssl handshake
failure:.\ssl\s23_lib.c:188:
at

No comments:

Post a Comment