Defensive SSL security in Windows and IIS

In my previous post, I wrote about how SSLMate has made my life easier.

I also mentioned how SSL-based attacks like POODLE and Heartbleed have forced us into using TLS.

Which is all very well, except that Microsoft’s whole premise in their product line is backward compatibility.

This means that a lot of older security protocols are on by default in Internet Information Service, even on Windows Server 2012 R2. As demonstrated by the recent vulnerabilities in the SSL protocol, this is not a good thing.

The recommended solution is to manually disable each of the older protocols using the registry editor.

IIS Crypto

Instead of this risky method, I discovered a free tool called IIS Crypto, by Nartac Software.

And so too, apparently, did @SwiftOnSecurity.

IIS Crypto is a free tool that allows configuring TLS protocols, ciphers, hashes and key exchange algos on WinServer https://www.nartac.com/Products/IISCrypto

This is how it looks:

iiscrypto

My recommended settings

I installed the .NET 4.0 GUI version. You can install the command-line version instead, but given that you’ll only run this application once or twice in the lifetime of the server, and you need to deselect some items, the GUI is easier to navigate.

Once you’ve installed IIS Crypto on your web server, run it and choose the Best Practices option (located under the Templates section).

You will then need to uncheck the Diffie-Hellman Key Exchange, on the top right, like so:

iiscryptodh(Click to enlarge)

Now you can click the Apply button, which will prompt you to restart your server.

In my own experimentation, I just issued an iisreset command to restart IIS, but it’s probably a good idea to restart the server anyway, as this tool makes changes to the Windows Registry.

Warning

According to the Qualys SSL Labs Test (which you can access from IIS Crypto in the URL field at the bottom of the screen), you will get a best score of an A-minus with these settings.

To achieve an A or higher, follow the instructions from the test result.

Coincidentally, because my company has more than one website served on the same IP address (common with virtual hosts), I achieved an A score by enabling SNI (Server Name Indication) on my website’s SSL bindings.

By default, this forces incompatibility with older browsers, who will be served a default SSL/TLS certificate, so keep this in mind.

Summary

I hope that this tool will make your life easier, by keeping only the most secure protocols and cyphers active on IIS.

This is just one aspect of security in depth. You should also look at the rest of the top 10 vulnerabilities, as collated by OWASP, to see how else you can protect your web applications.

SSLMate and IIS – a love story

I am a part-owner in a company based in South Africa. Our headline act, if you will, is a website that customers log into to manage certain aspects of their business.

This website needs to be secure for obvious reasons. The most basic requirement for a secure website is an SSL certificate (Secure Sockets Layer), or more accurately, TLS (Transport Layer Security). This is the padlock in the address bar of your browser, next to the https: the s means secure.

If you feel like exploding your brain, check the Wikipedia article about TLS and SSL.

For a number of reasons, which Troy Hunt is vastly more qualified to explain to you, we have to ensure that only the most recent browsers are supported by our website and its SSL/TLS certificate.

Older software was not designed with security in mind. The early Internet was about sharing information as easily as possible. Only with Microsoft’s security drive in the early 2000s did we start to see software becoming secure by default. Most recently, news about POODLE and Heartbleed means that even SSL isn’t secure anymore. That is why we have to focus on TLS instead.

It is therefore imperative that we at my company inconvenience users of older software in the best interest of keeping our website as secure as we can. Our SLA (Service Level Agreement) states a minimum version for operating system and web browser.

To this end, I will talk about my new favourite SSL/TLS certificate provider, SSLMate. They allow you to order and renew SSL/TLS certificates from the command line. Even better, unlike most other providers, they tell you when an SSL/TLS certificate is about to expire and renew it for you. I cannot even begin to tell you how convenient this is.

Last year I was travelling out of the country when one of my websites’ certificates expired. The issuer did not warn me (their position is that it’s not their responsibility, and I have to take blame). But, as evidenced by Apple, and Microsoft, and Google, we ALL make this mistake.

SSLmate takes the hassle out of remembering. I of course have created a new workflow to remind me a month before each of my certificates expires, but now that they are all managed by SSLmate, I know they have my back as well.

This all sounds great. I open up a command line prompt and type:

computer~$ sslmate buy example.com

That’s it. After an exchange of email to the appropriate approved address and a confirmation link, I can download four files:

  • example.com.chained.crt — Domain and Intermediate Certificate
  • example.com.chain.crt — Intermediate Certificate
  • example.com.crt — Domain Certificate
  • example.com.key — Private Key

Now comes the tricky part. Internet Information Server, or IIS, needs to import a PFX file. PFX stands for Personal Information Exchange Format and is also known as PKCS #12.

None of these files from SSLMate is in the right format. In fact, if you try importing one of the *.crt files, it will vanish from inside IIS. It needs to be signed by the Private Key.

Confused yet?

On my Mac (or on Windows), I need to use OpenSSL to sign the certificate with the private key, to generate a PFX file that I can import into IIS.

computer~$ openssl pkcs12 -export -out iis_cert.pfx -inkey example.com.key -in example.com.crt -certfile example.com.chain.crt

The output will be iis_cert.pfx, which I can then import into IIS and bind to the website I want to secure. In this example, there are two input files because SSLMate uses intermediate certificates in the chain.

Next time, I will tell you about an easy way to make sure IIS is the most secure it can be.

Paris

On Friday I posted an image that I found on Twitter, now quite famous, comprising a hastily sketched peace sign, which also includes a likeness of the Eiffel Tower.

It is an emotive image, capturing in art what is impossible to say in words. As my friend in Cape Town says, I don’t have answers.

Paris crystallised it for me because we were there just two months ago, but my empathy lies deeper than that. Many countries are under siege from terror, most significantly Syria, triggering a refugee crisis the likes of which we have not seen since the Second World War.

In the last few months I have discovered that I share very little in common with people I consider my friends. I feel in the minority because I want to invite discussion, and challenge the notion of xenophobia.

Considering our planet’s rich history of migration, very few people can lay claim to a particular territory.

Everyone is an immigrant.

I posted that peace sign image without any context, except for the date. It is powerful enough to symbolise what happened last week.

I will leave it there as a reminder, not of Paris itself, but what has led up to it, and what will surely follow.

Let’s stop fighting. Ideology cannot be fought with weapons. We need to put down the guns and speak to each other, to understand each other.

I am a capital-P Pacifist. War is stupid. Killing people is stupid. An eye-for-an-eye is stupid, especially if your retaliation is more deadly than that which you are avenging.

We should be talking to each other, not changing our Facebook avatars, blocking our ears, and singing “La la la” until the Others go away.

Let’s talk.

“Government is breaking the internet”

Please take some time to read this column by Ivo Vegter.

The Cybercrime Bill also criminalises investigative journalism and whistleblowing, by making it illegal to so much as receive government data classified as confidential or secret. Possession and transmission of such information will also be illegal. The way the bill defines cyber-terrorism is far too broad. It does not make provision for legitimate protest or advocacy, and includes even acts that cause no terror, but merely disclose commercial information “which could cause undue advantage or disadvantage to any person”. It completely removes the need for government IT systems to be secured, since even if an incompetent administrator left the stable doors wide open, any breach of any system owned by anyone who is even remotely connected to government is covered by the “computer-related terrorism” clause.