IT Security: Securing Web Server Communications
These days we are familiar with the https://
prefix for secure web pages, together with the associated padlock shown in most web browsers. However, the technology behind this security allows for different protocols to negotiate the security mechanism and a selection of ciphers used to actually encrypt the data transmitted. Over the years these have been tested extensively and with the power of processors ever increasing, vulnerabilities have been found.
This article discusses some methods for hardening web servers against common attacks (such as BEAST) and disabling older and less secure protocols.
Analysis Tools
Qualys provide a very useful tool for scanning your web server and reporting on the progress of your hardening attempts. This can be found on their SSL Server Test page.
Configuration
Below are the configuration changes needed for some of the most commonly encountered web servers.
Apache and OpenSSL
The Apache HTTP Server with its OpenSSL module is one of the most commonly used platforms to serve secure web pages. The changes required can be made by simply editing the SSL configuration file for the OpenSSL module.
For systems running versions prior to OpenSSL 1.0.1, only TLS 1.0 is supported and the range of protocol negotiations is more limited. If possible, upgrade to a newer version of OpenSSL (such as in Ubuntu 12.04 LTS). Otherwise, make the following changes in /etc/apache2/mods-enabled/ssl.conf
:
SSLHonorCipherOrder On SSLCipherSuite RC4-SHA:HIGH:!ADH
For systems running OpenSSL 1.0.1 or greater, TLS 1.1 and 1.2 can be used to provide better protection. Make the following changes in /etc/apache2/mods-enabled/ssl.conf
:
SSLHonorCipherOrder On SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH
Once you have edited the file, restart Apache and test using the tools above.
Microsoft Internet Information Server
When running on the Microsoft Windows Server platform, Internet Information Server (IIS) is commonly used. The required changes can be made by downloading the Registry Editor file below:
- IISDisableWeakCiphers.reg
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server] "Enabled"=dword:00000000
Once downloaded, double-click the file and select Yes
to import the changes into the registry. You must now restart the IIS processes by issuing the following command in a Command Prompt:
iisreset /restart /noforce
Once restarted, test using the tools above.