Knowledge Base Article

Home Page > Knowledge Base > KronoDesk

Home Page > Knowledge Base > Spira Platform

Article Hardening SSL on IIS 6 - IIS 7

by Adam S on Thursday, October 9, 2014

If you are running a web application (such as SpiraTest, SpiraPlan, SpiraTeam or KronoDesk) on an IIS web server using Secure Sockets Layer (SSL), you will want to harden the environment by removing the older versions of SSL and TLS that are no longer considered secure.

These steps apply to:

  • Windows Server 2003 R1 & R2
  • Windows Server 2008 R1 & R2

Usually Windows Server 2012 and later are already configured to be secure.

(MAKE SURE THAT YOU BACKUP YOUR REGISTRY BEFORE APPLYING THOSE CHANGES)
 
• Using regedit to add the following keys ( right click on protocols -> new -> key -> "SSL 2.0"  then  "SSL 3.0" then "TLS 1.0" )
 
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0
 
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0
 
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0
 
• Under each of the keys above you need to create additional keys "Client" and "Server"
 
 For SSL 2.0: 
 
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client
 
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server
 
 For SSL 3.0: 
 
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client
 
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server
 
 For TLS 1.0: 
 
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client
 
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server
 
• Then you will have to create DWORD (32bit) value called "Enabled" under each "Client" and "Server" key for "SSL 2.0, SSL 3.0 and TLS 1.0"
 
 DWORD (32bit) Value
 
 Value name = Enabled
 
 Value date = 0
 
 Value date can be set to "1" - Enabled or "0" – Disabled
 
 In my scenario the values were "enabled" (set to 1) for SSL 3.0 and TLS 1.0 and "disabled" (set to 0) for SSL 2.0
 
• Next step is to add correct Ciphers, to do so you will have to navigate to the following key in the registry
 
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers
 
• (right click on "Cliphers" New -> Key)
 
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128
 
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128
 
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168
 
• That's all! Now you need to restart your server to apply those changes.
Attachments
Article Info
Last Updated: 10/9/2014
Article ID: KB91
# Views: 1256
Powered by KronoDesk v1.1.0.15 | © Copyright Inflectra Corporation 2011-2016 | Licensed to Inflectra Corporation.