Here is a few links for the ciphers issues: You can only use SSL v3 or TLS v1.0 http://manyrootsofallevilrants.blogspot.com/2011/11/disabling-low-ciphers-in-iis-60.html
Here is the Blog from IIS.net that will set you straight on what to take care of in the registry. http://blogs.iis.net/sakyad/archive/2008/12/11/enforcing-ssl-3-0-and-removing-weak-encryption-vulnerability-over-ssl-iis-6-0-and-isa.aspx You can test your ciphers using openssl. To make sure you don't have sslv2 enabled, do the following. Install latest version of Openssl ( I believe 1.0x now) navigate to the bin directory in the openssl install directory. Type openssl to get the openssl command line. then type the following: OpenSSL> s_client -connect host:port -ssl2 ( if it comes back with the following, its not accepting SSLv2) CONNECTED(00000758) 4348:error:1406D0CB:SSL routines:GET_SERVER_HELLO:peer error no cipher:.\ssl\s2_ pkt.c:675: 4348:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:.\ssl\s2_pkt.c :428: Show this to the auditors. EZ Edward E. Ziots Senior Informational Security Engineer CISSP,Security +,Network+ From: richard.mccl...@aspca.org To: ntsysadmin@lyris.sunbelt-software.com Date: Tue, 10 Jan 2012 15:05:48 +0000 Subject: IIS 6.0 Security Hopefully, the subject line is not a complete oxymoron… Yes, I am continuing to search Google as well as the MS TechNet pages (that Google returns) concerning IIS 6.0. We failed a PCI compliance audit on our Citrix server (Presentation Server 4.5, and yes, a new Citrix system is in the works, but this one needs to pass a scan test.) The system does have a VeriSign SSL certificate. -- Here are the issues found by the scan: Disable TLS Renegotiation Fix Microsoft IIS Content Location Internal IP Address Leak (Note – the server is accessed via web through a MIP’s IP address) Upgrade to the latest version of OpenSSL Disable SSL support for weak ciphers Disable SSL v2 protocol support -- Anyway, we need assistance in dealing with those security issues without hosing the Citrix services (which our clients are paying for). Thank you; back to Google and Technet… - richard The information contained in this e-mail, and any attachments hereto, is from The American Society for the Prevention of Cruelty to Animals® (ASPCA®) and is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying or use of the contents of this e-mail, and any attachments hereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify me by reply email and permanently delete the original and any copy of this e-mail and any printout thereof. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
