Professional Documents
Culture Documents
Whether
it
is
Heartbleed,
Shellshock,
Poodle,
or
the
most
recent
Freak,
attacks
on
SSL
have
exposed
the
insecurity
of
the
protocol
and
weak
cipher
suites.
Because
of
this
it
has
become
crucial
to
configure
servers
in
as
secure
a
way
as
possible
to
provide
reliable
encryption
for
data
being
transmitted.
The
goal
is
to
protect
data
from
being
intercepted
by
configuring
stronger
protocols
and
cipher
suites.
The
information
here
will
help
provide
tools
to
check
your
servers,
modify
configuration
settings,
and
establish
more
secure
transmissions.
Some
suggested
steps
to
follow,
helpful
links,
recommendations
and
screenshots
are
provided
below:
1. Check
the
status
of
your
servers
using
free
online
tools
before
and
after
config
changes:
a. SSL
Labs
free
online
tool
to
test
your
server
for
certificate,
protocols,
ciphers.
i. https://www.ssllabs.com/ssltest/
ii. Be
sure
to
click
the
box
Do
not
show
the
results
on
the
boards
before
submit!
b. Comodo
SSL
Analyzer
free
online
to
test
your
server
for
certificate,
protocols,
ciphers.
i. https://sslanalyzer.comodoca.com/
2. Consider
a
pre-built
configuration
suggestion:
SEE
SCREENSHOTS
BELOW
FOR
SAMPLES
a. Mozilla
wiki
lots
of
in
depth
reading,
sample
configurations
and
the
effect
on
browser
versions.
i. https://wiki.mozilla.org/Security/Server_Side_TLS
ii. The
Intermediate
Compatibility
is
strongly
encouraged
by
ITS.
1. TLSv1,
TLSv1.1,
TLSv1.2;
Key
size
2048;
SHA2
certificate;
Ciphersuites
listed
in
order
of
priority.
iii. The
Modern
Compatibility
should
be
considered
if
you
can
guarantee
the
browser
versions
identified
are
the
same
used
by
your
end-users.
1. TLSv1.1,
TLSv1.2;
Key
size
2048;
SHA2
certificate;
Ciphersuites
listed
in
order
of
priority.
b. Qualys
SSL
Labs
Best
Practices
for
SSL/TLS
Deployment
i. https://www.ssllabs.com/downloads/SSL_TLS_Deployment_Best_Practices.pdf
3. Modify
configurations
tools
to
help,
illustrate
examples,
copy-paste:
a. Mozilla
Configuration
Generator
a
tool
to
help
to
generate
a
config
file
quickly
i. https://mozilla.github.io/server-side-tls/ssl-config-generator/
b. IISCrypto
free
tool
from
nartac
to
help
Windows
Server
Administrators
quickly
configure
i. https://www.nartac.com/Products/IISCrypto/Default.aspx
c. More
from
Microsoft
on
suggested
Cipher
list,
Group
Policy
usage,
via
technet
here:
i. https://technet.microsoft.com/library/security/MS15-031
ii. The
March
Windows
Updates
that
were
approved
include
this,
3046049.
NOTE:
If
you
are
responsible
for
a
large
number
of
servers
where
checking
the
status
one-by-one
is
overwhelming,
please
contact
infosec@nau.edu
and
we
can
coordinate
the
running
of
a
multi-host
scan.
1
Microsoft
Technet,
SChannel,
gpedit: