Skip to main content

Disable SSLv2 in IIS 6 for PCI Compliance

Anyone working on PCI Compliance will know the restrictions placed on IIS. The recommendations are only common sense but remarkably few companies have implemented them.

SSLv2
SSLv2 has always been full of holes and there is now very little need for it to be enabled on any server. Almost no clients require it and if it is enabled it is potentially a serious security problem.

  • Open Registry Editor.

  • Select HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server

  • On the Edit menu select New then DWORD Value

  • Name the new value Enabled

  • Ensure the value is set to 0

  • Restart the server


Full details on disabling SSLv2 can be found in the following MS knowledge base article:
http://support.microsoft.com/kb/187498

Cryptographic Algorithms
If the scan for PCI compliance has picked up SSLv2 then it will almost certainly have warned about a number of weak algorithms (http://support.microsoft.com/kb/245030)

The following list need to be disabled to ensure the only Cipher algorithms available are 128 bit+ :
RC4 64/128
RC4 56/128
RC2 56/128
RC2 56/56
RC4 40/128
RC2 40/128

To disable a cipher:

  • Open Registry Editor.

  • Select HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers

  • Select the key for the cipher you wish to disable

  • On the Edit menu select New then DWORD Value

  • Name the new value Enabled

  • Ensure the value is set to 0

  • Restart the server


It is also worth considering disabling the MD5 hash as well, although be very careful that it is definitely not in use!

To disable MD5:

  • Open Registry Editor.

  • Select HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5

  • Select the key for the cipher you wish to disable

  • On the Edit menu select New then DWORD Value

  • Name the new value Enabled

  • Ensure the value is set to 0

  • Restart the server

Comments

Popular posts from this blog

Ad hoc access to OLE DB provider has been denied

Using post SP2 SQL 7 (+ 2000 etc) attempting to access an OLEDB data source using OPENROWSET can produce the slightly spurious error: Ad hoc access to OLE DB provider 'MSDASQL' has been denied. You must access this provider through a linked server. In usual Microsoft style the message doesn't really mean what it says. From SQL 7 SP2 onwards MS by default blocked ad hoc query access with OLEDB. As the message suggests you could setup a linked server but that can be a real pain. Alternatively if you need ad hoc access server wide you could turn on ad hoc access for the SQL server you are using, explained in MS speak here: http://support.microsoft.com/default.aspx?kbid=266008 Ah, but it's not that simple. A little more witchcraft is required. The following registry settings can be used to enable ad hoc access: REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\Providers] "DisallowAdhocAccess"=dword:00000000 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLSer

Recover from corrupt SQL LDF transaction log file

Another favourite this month. A fault on one of our client's servers caused it to restart once every 10 minutes for 2 hours - the result was a corrupt LDF transaction log file for the main application database. It is surprisingly simple to recover from this situation: 1. Stop the SQL Server service 2. Copy the affected database (both LDF and MDF files) out of the main data folder. 3. Restart the SQL Server service 4. Create a new database of the same name and location as the database affected in step 2 - it is critical the filenames and paths are identical. 5. Stop the SQL Server service. 6. Copy the original MDF file (copied in step 2) in to replace the new MDF file created in step 4 7. Start the SQL Server service - the database will show as being suspect. 8. Now you need to recover the database, working from Query Analyser or SQL Management Studio: Use master go sp_configure 'allow updates', 1 reconfigure with override go select status from sysdatabases where name = '

Take website screenshot using ASP.NET

Utilising a hidden web browser control it is possible to take a screenshot of any website. The code shown below is based on an article at plentyofcode.com  (sorry the site now appears to be offline May 2012) but I have translated it from VB.NET to C# and will work in .NET so theoretically for any Windows or ASP.NET web project. using System; using System.Drawing; using System.Drawing.Imaging; using System.Windows.Forms; using System.Diagnostics; namespace WebsiteScreenshot { public class GetImage { private int s_Height; private int s_Width; private int f_Height; private int f_Width; private string myURL; public int ScreenHeight { get { return s_Height; } set { s_Height = value; } } public int ScreenWidth { get { return s_Width; } set { s_Width = value; } } public int ImageWidth { get { return f_Width; } set { f_Width = value; } } public int ImageHeight { get { return f_Height; } set { f_Height = value; } } public string Websit