IT Security: Securing Web Server Communications

These days we are familiar with the https:// prefix for secure web pages, together with the associated padlock shown in most web browsers. However, the technology behind this security allows for different protocols to negotiate the security mechanism and a selection of ciphers used to actually encrypt the data transmitted. Over the years these have been tested extensively and with the power of processors ever increasing, vulnerabilities have been found.

This article discusses some methods for hardening web servers against common attacks (such as BEAST) and disabling older and less secure protocols.

Web servers commonly run some sort of scripted application that stores its information in a database. Additional measures must be taken to ensure the connection between the web server and the database server are secure as well as encrypting the data being stored.

Qualys provide a very useful tool for scanning your web server and reporting on the progress of your hardening attempts. This can be found on their SSL Server Test page.

Below are the configuration changes needed for some of the most commonly encountered web servers.

The Apache HTTP Server with its OpenSSL module is one of the most commonly used platforms to serve secure web pages. The changes required can be made by simply editing the SSL configuration file for the OpenSSL module.

For systems running versions prior to OpenSSL 1.0.1, only TLS 1.0 is supported and the range of protocol negotiations is more limited. If possible, upgrade to a newer version of OpenSSL (such as in Ubuntu 12.04 LTS). Otherwise, make the following changes in /etc/apache2/mods-enabled/ssl.conf:

SSLHonorCipherOrder On
SSLCipherSuite RC4-SHA:HIGH:!ADH

For systems running OpenSSL 1.0.1 or greater, TLS 1.1 and 1.2 can be used to provide better protection. Make the following changes in /etc/apache2/mods-enabled/ssl.conf:

SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH

Once you have edited the file, restart Apache and test using the tools above.

When running on the Microsoft Windows Server platform, Internet Information Server (IIS) is commonly used. The required changes can be made by downloading the Registry Editor file below:

IISDisableWeakCiphers.reg
Windows Registry Editor Version 5.00
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000

Once downloaded, double-click the file and select Yes to import the changes into the registry. You must now restart the IIS processes by issuing the following command in a Command Prompt:

iisreset /restart /noforce

Once restarted, test using the tools above.