Fixing Weak SSL the Easy Way

infosec IIS Crypto is a great free tool produced by Nartac Sotware that allows Windows Server/IIS admins to easily enable/disable weak SSL cryptos and ciphers. This is a PCI requirement, and I’ve seen it show up on many scan using tools designed to probe for compliance. It’s usually a tedious process of adding/changing registry keys, right up to today’s current Windows OSes.

I recently had two fully patched Win Server 2008 R2 servers that were failing PCI scans using the McAffee Secure online service. IIS Crypto made short work out of what would’ve been a longer after hours change. It even has a PCI button that you can just click and it configs the server for compliance. Saved me a ton of work. Microsoft needs to start turning this off by default though and maybe even ask if you want it turned on, just a thought for the guys at Redmond.

In a unique twist, even after verifying the registry keys were correct after running the tool, McAffee still complained about the problem after a post-change scan. Qualy’s SSL Site Analyzer, a nifty and free online tool, actually passed it with flying colors. Another interesting venture of theirs is the HTTP Client Fingerprinting Using SSL Handshake Analysis project, which produced a mod for Apache and some other interesting reads at the bottom of the page, enjoy.

Leave a Reply

Leave a Reply

Your email address will not be published. Required fields are marked *