SlideShare uma empresa Scribd logo

Windows HardenSSL - Tweak SSL and TLS Settings

Thierry Zoller
Thierry Zoller

Tool to set and harden windows SSL/TLS Settings

Aperfeiçoamento pessoalTecnologiaEducação
1 de 8
Baixar para ler offline
Harden SSL/TLS v1.01 Windows hardening tool Thierry ZOLLER http://blog.zoller.lu http://www.g-sec.lu G-SEC™ is a non-commercial and independent group of Information Security Specialists based in Luxembourg. Our work has been featured in New York Times, eWeek, ct', SAT1, Washington Post and at conferences ranging from Hack.lu to Cansecwest.
Harden SSL/TLS 2013 2 Table of Contents Table of Contents .............................................................................................................................1 Introduction......................................................................................................................................3 Usage................................................................................................................................................4 Protocols.................................................................................................................................................... 5 Hashes ....................................................................................................................................................... 5 Key exchange............................................................................................................................................. 5 Cipher list................................................................................................................................................... 5 Advanced Mode ...............................................................................................................................6 Known limitations ............................................................................................................................8 Change log........................................................................................................................................8 Download .........................................................................................................................................8 Limitation of Liability........................................................................................................................8
Harden SSL/TLS 2013 3 Introduction “Harden SSL/TLS” allows to configure and harden the SSL/TLS settings of Windows XP to Windows 8 and from Windows 2003 to Windows Server 2012. Harden TLS allows to remotely set SSL policies allowing or denying certain ciphers/hashes or complete cipher suites. The foundation of this tool was the investigation and reverse engineering of the ciphers provided by the various SCHANNEL versions by G-SEC and presented in the paper “SSL/TLS Compatibility Report 2011”. This tool specific allows setting policies with regards to what ciphers and protocols are available to applications that use SCHANNEL crypto interface. A lot of windows applications do use this interface, for instance Google Chrome as well as Apple Safari are a few of these. By changing the settings you can indirectly control what ciphers these applications are allowed to use. This tool works on all and every application that uses SCHANNEL whether they are client or server applications - as example: IIS, SQL Server, Internet Explorer, Safari and a lot of others.
Usage  Options : Allows to enter the name of a remote Machine  Mode : Allows to choose from Normal or Advance mode – The advanced mode is documented in the section “Advanced Mode”  Export : Export/Backup all affected registry keys  PCI-DSS : Adjust the settings as to comply with PCI-DSS  Scan : Scans the host entered in “Settings – Remote host” Cipher suites Key exchange Protocols Hashes
Protocols The protocol table shows the Protocols enabled or disabled on a Server/Client logic, to enable a protocol simply double click on the item you want enabled. Note: For Vista and up “Harden SSL/TLS” also automatically configures Windows Internet Settings with the correct settings. Note: Windows 7 and Windows 2008R2 come with TLS1.2 disabled by default, to enable it for IIS 7.5 just double click on the appropriate TLS 1.2 entry. Hashes List currently available hashes Key exchange List the currently available key exchange algorithms Cipher list The display and function of this list changes depending on the OS version.  Windows 2000, XP, Server 2003 The list allows you to enable/disable ciphers; if you disable an cipher it will not be available to the applications even if they request it.  Windows Vista/7/8, Server 2008/R2, Server 2012 The list allows you to enable/disabled and prioritizes cipher suites. The first item displayed is the preferred cipher for an SCHANNEL client or server, you can change this cipher to (as example AES 256) by pushing the UP and DOWN buttons, Harden SSL/TLS will keep a state map of which ciphers are, enabled, disabled and the their past and present order.
Harden SSL/TLS 2013 6 Advanced Mode The advanced mode allows access to more advanced settings  P521 mode Microsoft removed default ECC P521 support after Vista and Server 2008, this options allows to re-enable and re-introduce ECC P521 mode for Windows7, Windows 8 and Windows Server 2012  Modulus 1 support (You probably do not want to enable this setting) When a Web server uses a certificate with an RSA public key exponent of 1, the private key exponent is also set to 1. If these conditions are present, the connection has no encryption security. Enabling this will configure your client/server to allow a connection to a Web server that uses a certificate with an RSA public key exponent of 1.  TLS/SSL Cache time out One reason for changing the default value for the SSL session cache is to force the client to authenticate more often. More frequent caching is sometimes useful, for example, if you want to reduce the computational effort (performance) or if you know that the client is using a smart card and you want the Web page to be accessible only when the user inserts the smart card in the reader. Before changing the SSL cache time-out interval, make sure that HTTP Keep-Alives are enabled (HTTP Keep-Alives are enabled by default). No secure session caching 0 (turns off session caching) 2 minutes (Windows NT 4) 120000 5 minutes (Windows 2000 ) 300000 10 hours (2000 SP2, XP, 2003,2008, 2008R2) 36000000
Harden SSL/TLS 2013 7  TLS/SSL Cache size IIS maintains objects in memory to track each incoming Web connection. After five minutes of idle time, these objects are destroyed to reclaim resources. During this process, IIS purges the SSL/TLS session ID that the operating system caches from the session ID cache table. IIS also purges all the connection information that is negotiated between the client and the server. When a client tries to resume an SSL/TLS session by using the previous session ID, the server cannot locate the connection information in the cache. Therefore, the client must renegotiate the connection. Additionally, the client must obtain a new session ID. Increasing the cache size may reduce the cpu load but increases memory usage, each session cache element typically requires 2-4k bytes of memory Default 10.000 entries
Harden SSL/TLS 2013 8 Known limitations  Initializes and sets the SCHANNEL settings to OS defaults at first startup Change log 2011  Fixed Protocol initialization on Vista/Seven/2008/2008R2 (Reported by Adrian F. Dimcev)  Fixed TLS 1.1 displayed on Vista/2008 (Reported by Adrian F. Dimcev) 2013  Added Windows 8 support  Added Windows Server 2012 support  Resolved an issue around P521 additions Download Harden SSL/TLS can be found under http://www.g-sec.lu/products.html http://blog.zoller.lu Limitation of Liability In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts), shall Thierry Zoller or G-SEC .ltd be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses),even if such Contributor has been advised of the possibility of such damages.

Recomendados

SSL Audit - The SSL / TLS Scanner
SSL Audit - The SSL / TLS ScannerSSL Audit - The SSL / TLS Scanner
SSL Audit - The SSL / TLS ScannerThierry Zoller
 
BLtouch marlin configuration
BLtouch marlin configurationBLtouch marlin configuration
BLtouch marlin configurationThierry Zoller
 
Neo coolcam - smart-plug user guide v2 - Zwave
Neo coolcam - smart-plug user guide v2 - ZwaveNeo coolcam - smart-plug user guide v2 - Zwave
Neo coolcam - smart-plug user guide v2 - ZwaveThierry Zoller
 
Cansecwest - The Death of AV defence in depth
Cansecwest - The Death of AV defence in depthCansecwest - The Death of AV defence in depth
Cansecwest - The Death of AV defence in depthThierry Zoller
 
Heise Security - Scheunentor Bluetooth
Heise Security - Scheunentor BluetoothHeise Security - Scheunentor Bluetooth
Heise Security - Scheunentor BluetoothThierry Zoller
 
23c3 Bluetooth hacking revisited
23c3 Bluetooth hacking revisited23c3 Bluetooth hacking revisited
23c3 Bluetooth hacking revisitedThierry Zoller
 
Hack.lu 2006 - All your Bluetooth is belong to us
Hack.lu 2006 - All your Bluetooth is belong to usHack.lu 2006 - All your Bluetooth is belong to us
Hack.lu 2006 - All your Bluetooth is belong to usThierry Zoller
 
Managing Application Security Risk in Enterprises - Thoughts and recommendations
Managing Application Security Risk in Enterprises - Thoughts and recommendationsManaging Application Security Risk in Enterprises - Thoughts and recommendations
Managing Application Security Risk in Enterprises - Thoughts and recommendationsThierry Zoller
 

Recomendados

SSL Audit - The SSL / TLS Scanner
SSL Audit - The SSL / TLS ScannerSSL Audit - The SSL / TLS Scanner
SSL Audit - The SSL / TLS ScannerThierry Zoller
 
BLtouch marlin configuration
BLtouch marlin configurationBLtouch marlin configuration
BLtouch marlin configurationThierry Zoller
 
Neo coolcam - smart-plug user guide v2 - Zwave
Neo coolcam - smart-plug user guide v2 - ZwaveNeo coolcam - smart-plug user guide v2 - Zwave
Neo coolcam - smart-plug user guide v2 - ZwaveThierry Zoller
 
Cansecwest - The Death of AV defence in depth
Cansecwest - The Death of AV defence in depthCansecwest - The Death of AV defence in depth
Cansecwest - The Death of AV defence in depthThierry Zoller
 
Heise Security - Scheunentor Bluetooth
Heise Security - Scheunentor BluetoothHeise Security - Scheunentor Bluetooth
Heise Security - Scheunentor BluetoothThierry Zoller
 
23c3 Bluetooth hacking revisited
23c3 Bluetooth hacking revisited23c3 Bluetooth hacking revisited
23c3 Bluetooth hacking revisitedThierry Zoller
 
Hack.lu 2006 - All your Bluetooth is belong to us
Hack.lu 2006 - All your Bluetooth is belong to usHack.lu 2006 - All your Bluetooth is belong to us
Hack.lu 2006 - All your Bluetooth is belong to usThierry Zoller
 
Managing Application Security Risk in Enterprises - Thoughts and recommendations
Managing Application Security Risk in Enterprises - Thoughts and recommendationsManaging Application Security Risk in Enterprises - Thoughts and recommendations
Managing Application Security Risk in Enterprises - Thoughts and recommendationsThierry Zoller
 
南新罕布什尔大学毕业证学位证成绩单-学历认证
南新罕布什尔大学毕业证学位证成绩单-学历认证南新罕布什尔大学毕业证学位证成绩单-学历认证
南新罕布什尔大学毕业证学位证成绩单-学历认证kbdhl05e
 
Call Girls in Govindpuri Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Govindpuri Delhi 💯Call Us 🔝8264348440🔝Call Girls in Govindpuri Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Govindpuri Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Authentic No 1 Amil Baba In Pakistan Amil Baba In Faisalabad Amil Baba In Kar...
Authentic No 1 Amil Baba In Pakistan Amil Baba In Faisalabad Amil Baba In Kar...Authentic No 1 Amil Baba In Pakistan Amil Baba In Faisalabad Amil Baba In Kar...
Authentic No 1 Amil Baba In Pakistan Amil Baba In Faisalabad Amil Baba In Kar...Authentic No 1 Amil Baba In Pakistan
 
Call Girls In Karkardooma 83770 87607 Just-Dial Escorts Service 24X7 Avilable
Call Girls In Karkardooma 83770 87607 Just-Dial Escorts Service 24X7 AvilableCall Girls In Karkardooma 83770 87607 Just-Dial Escorts Service 24X7 Avilable
Call Girls In Karkardooma 83770 87607 Just-Dial Escorts Service 24X7 Avilabledollysharma2066
 
Call Girls In Dwarka Sub City ☎️7838079806 ✅ 💯Call Girls In Delhi
Call Girls In Dwarka Sub City ☎️7838079806 ✅ 💯Call Girls In DelhiCall Girls In Dwarka Sub City ☎️7838079806 ✅ 💯Call Girls In Delhi
Call Girls In Dwarka Sub City ☎️7838079806 ✅ 💯Call Girls In DelhiSoniyaSingh
 
E J Waggoner against Kellogg's Pantheism 8.pptx
E J Waggoner against Kellogg's Pantheism 8.pptxE J Waggoner against Kellogg's Pantheism 8.pptx
E J Waggoner against Kellogg's Pantheism 8.pptxJackieSparrow3
 
Inspiring Through Words Power of Inspiration.pptx
Inspiring Through Words Power of Inspiration.pptxInspiring Through Words Power of Inspiration.pptx
Inspiring Through Words Power of Inspiration.pptxShubham Rawat
 
Model Call Girl in Lado Sarai Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Lado Sarai Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Lado Sarai Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Lado Sarai Delhi reach out to us at 🔝9953056974🔝9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
西伦敦大学毕业证学位证成绩单-怎么样做
西伦敦大学毕业证学位证成绩单-怎么样做西伦敦大学毕业证学位证成绩单-怎么样做
西伦敦大学毕业证学位证成绩单-怎么样做j5bzwet6
 
办理西悉尼大学毕业证成绩单、制作假文凭
办理西悉尼大学毕业证成绩单、制作假文凭办理西悉尼大学毕业证成绩单、制作假文凭
办理西悉尼大学毕业证成绩单、制作假文凭o8wvnojp
 
(南达科他州立大学毕业证学位证成绩单-永久存档)
(南达科他州立大学毕业证学位证成绩单-永久存档)(南达科他州立大学毕业证学位证成绩单-永久存档)
(南达科他州立大学毕业证学位证成绩单-永久存档)oannq
 
(No.1)↠Young Call Girls in Sikanderpur (Gurgaon) ꧁❤ 9711911712 ❤꧂ Escorts
(No.1)↠Young Call Girls in Sikanderpur (Gurgaon) ꧁❤ 9711911712 ❤꧂ Escorts(No.1)↠Young Call Girls in Sikanderpur (Gurgaon) ꧁❤ 9711911712 ❤꧂ Escorts
(No.1)↠Young Call Girls in Sikanderpur (Gurgaon) ꧁❤ 9711911712 ❤꧂ EscortsDelhi Escorts Service
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture CodeSkeleton Technologies
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsKurio // The Social Media Age(ncy)
 

Mais conteúdo relacionado

Último

南新罕布什尔大学毕业证学位证成绩单-学历认证
南新罕布什尔大学毕业证学位证成绩单-学历认证南新罕布什尔大学毕业证学位证成绩单-学历认证
南新罕布什尔大学毕业证学位证成绩单-学历认证kbdhl05e
 
Call Girls in Govindpuri Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Govindpuri Delhi 💯Call Us 🔝8264348440🔝Call Girls in Govindpuri Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Govindpuri Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Authentic No 1 Amil Baba In Pakistan Amil Baba In Faisalabad Amil Baba In Kar...
Authentic No 1 Amil Baba In Pakistan Amil Baba In Faisalabad Amil Baba In Kar...Authentic No 1 Amil Baba In Pakistan Amil Baba In Faisalabad Amil Baba In Kar...
Authentic No 1 Amil Baba In Pakistan Amil Baba In Faisalabad Amil Baba In Kar...Authentic No 1 Amil Baba In Pakistan
 
Call Girls In Karkardooma 83770 87607 Just-Dial Escorts Service 24X7 Avilable
Call Girls In Karkardooma 83770 87607 Just-Dial Escorts Service 24X7 AvilableCall Girls In Karkardooma 83770 87607 Just-Dial Escorts Service 24X7 Avilable
Call Girls In Karkardooma 83770 87607 Just-Dial Escorts Service 24X7 Avilabledollysharma2066
 
Call Girls In Dwarka Sub City ☎️7838079806 ✅ 💯Call Girls In Delhi
Call Girls In Dwarka Sub City ☎️7838079806 ✅ 💯Call Girls In DelhiCall Girls In Dwarka Sub City ☎️7838079806 ✅ 💯Call Girls In Delhi
Call Girls In Dwarka Sub City ☎️7838079806 ✅ 💯Call Girls In DelhiSoniyaSingh
 
E J Waggoner against Kellogg's Pantheism 8.pptx
E J Waggoner against Kellogg's Pantheism 8.pptxE J Waggoner against Kellogg's Pantheism 8.pptx
E J Waggoner against Kellogg's Pantheism 8.pptxJackieSparrow3
 
Inspiring Through Words Power of Inspiration.pptx
Inspiring Through Words Power of Inspiration.pptxInspiring Through Words Power of Inspiration.pptx
Inspiring Through Words Power of Inspiration.pptxShubham Rawat
 
西伦敦大学毕业证学位证成绩单-怎么样做
西伦敦大学毕业证学位证成绩单-怎么样做西伦敦大学毕业证学位证成绩单-怎么样做
西伦敦大学毕业证学位证成绩单-怎么样做j5bzwet6
 
办理西悉尼大学毕业证成绩单、制作假文凭
办理西悉尼大学毕业证成绩单、制作假文凭办理西悉尼大学毕业证成绩单、制作假文凭
办理西悉尼大学毕业证成绩单、制作假文凭o8wvnojp
 
(南达科他州立大学毕业证学位证成绩单-永久存档)
(南达科他州立大学毕业证学位证成绩单-永久存档)(南达科他州立大学毕业证学位证成绩单-永久存档)
(南达科他州立大学毕业证学位证成绩单-永久存档)oannq
 
(No.1)↠Young Call Girls in Sikanderpur (Gurgaon) ꧁❤ 9711911712 ❤꧂ Escorts
(No.1)↠Young Call Girls in Sikanderpur (Gurgaon) ꧁❤ 9711911712 ❤꧂ Escorts(No.1)↠Young Call Girls in Sikanderpur (Gurgaon) ꧁❤ 9711911712 ❤꧂ Escorts
(No.1)↠Young Call Girls in Sikanderpur (Gurgaon) ꧁❤ 9711911712 ❤꧂ EscortsDelhi Escorts Service
 

Último (12)

南新罕布什尔大学毕业证学位证成绩单-学历认证
南新罕布什尔大学毕业证学位证成绩单-学历认证南新罕布什尔大学毕业证学位证成绩单-学历认证
南新罕布什尔大学毕业证学位证成绩单-学历认证
 
Call Girls in Govindpuri Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Govindpuri Delhi 💯Call Us 🔝8264348440🔝Call Girls in Govindpuri Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Govindpuri Delhi 💯Call Us 🔝8264348440🔝
 
Authentic No 1 Amil Baba In Pakistan Amil Baba In Faisalabad Amil Baba In Kar...
Authentic No 1 Amil Baba In Pakistan Amil Baba In Faisalabad Amil Baba In Kar...Authentic No 1 Amil Baba In Pakistan Amil Baba In Faisalabad Amil Baba In Kar...
Authentic No 1 Amil Baba In Pakistan Amil Baba In Faisalabad Amil Baba In Kar...
 
Call Girls In Karkardooma 83770 87607 Just-Dial Escorts Service 24X7 Avilable
Call Girls In Karkardooma 83770 87607 Just-Dial Escorts Service 24X7 AvilableCall Girls In Karkardooma 83770 87607 Just-Dial Escorts Service 24X7 Avilable
Call Girls In Karkardooma 83770 87607 Just-Dial Escorts Service 24X7 Avilable
 
Call Girls In Dwarka Sub City ☎️7838079806 ✅ 💯Call Girls In Delhi
Call Girls In Dwarka Sub City ☎️7838079806 ✅ 💯Call Girls In DelhiCall Girls In Dwarka Sub City ☎️7838079806 ✅ 💯Call Girls In Delhi
Call Girls In Dwarka Sub City ☎️7838079806 ✅ 💯Call Girls In Delhi
 
E J Waggoner against Kellogg's Pantheism 8.pptx
E J Waggoner against Kellogg's Pantheism 8.pptxE J Waggoner against Kellogg's Pantheism 8.pptx
E J Waggoner against Kellogg's Pantheism 8.pptx
 
Inspiring Through Words Power of Inspiration.pptx
Inspiring Through Words Power of Inspiration.pptxInspiring Through Words Power of Inspiration.pptx
Inspiring Through Words Power of Inspiration.pptx
 
Model Call Girl in Lado Sarai Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Lado Sarai Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Lado Sarai Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Lado Sarai Delhi reach out to us at 🔝9953056974🔝
 
西伦敦大学毕业证学位证成绩单-怎么样做
西伦敦大学毕业证学位证成绩单-怎么样做西伦敦大学毕业证学位证成绩单-怎么样做
西伦敦大学毕业证学位证成绩单-怎么样做
 
办理西悉尼大学毕业证成绩单、制作假文凭
办理西悉尼大学毕业证成绩单、制作假文凭办理西悉尼大学毕业证成绩单、制作假文凭
办理西悉尼大学毕业证成绩单、制作假文凭
 
(南达科他州立大学毕业证学位证成绩单-永久存档)
(南达科他州立大学毕业证学位证成绩单-永久存档)(南达科他州立大学毕业证学位证成绩单-永久存档)
(南达科他州立大学毕业证学位证成绩单-永久存档)
 
(No.1)↠Young Call Girls in Sikanderpur (Gurgaon) ꧁❤ 9711911712 ❤꧂ Escorts
(No.1)↠Young Call Girls in Sikanderpur (Gurgaon) ꧁❤ 9711911712 ❤꧂ Escorts(No.1)↠Young Call Girls in Sikanderpur (Gurgaon) ꧁❤ 9711911712 ❤꧂ Escorts
(No.1)↠Young Call Girls in Sikanderpur (Gurgaon) ꧁❤ 9711911712 ❤꧂ Escorts
 

Destaque

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsKurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summarySpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentLily Ray
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesVit Horky
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project managementMindGenius
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...RachelPearson36
 

Destaque (20)

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 

Windows HardenSSL - Tweak SSL and TLS Settings

  • 1. Harden SSL/TLS v1.01 Windows hardening tool Thierry ZOLLER http://blog.zoller.lu http://www.g-sec.lu G-SEC™ is a non-commercial and independent group of Information Security Specialists based in Luxembourg. Our work has been featured in New York Times, eWeek, ct', SAT1, Washington Post and at conferences ranging from Hack.lu to Cansecwest.
  • 2. Harden SSL/TLS 2013 2 Table of Contents Table of Contents .............................................................................................................................1 Introduction......................................................................................................................................3 Usage................................................................................................................................................4 Protocols.................................................................................................................................................... 5 Hashes ....................................................................................................................................................... 5 Key exchange............................................................................................................................................. 5 Cipher list................................................................................................................................................... 5 Advanced Mode ...............................................................................................................................6 Known limitations ............................................................................................................................8 Change log........................................................................................................................................8 Download .........................................................................................................................................8 Limitation of Liability........................................................................................................................8
  • 3. Harden SSL/TLS 2013 3 Introduction “Harden SSL/TLS” allows to configure and harden the SSL/TLS settings of Windows XP to Windows 8 and from Windows 2003 to Windows Server 2012. Harden TLS allows to remotely set SSL policies allowing or denying certain ciphers/hashes or complete cipher suites. The foundation of this tool was the investigation and reverse engineering of the ciphers provided by the various SCHANNEL versions by G-SEC and presented in the paper “SSL/TLS Compatibility Report 2011”. This tool specific allows setting policies with regards to what ciphers and protocols are available to applications that use SCHANNEL crypto interface. A lot of windows applications do use this interface, for instance Google Chrome as well as Apple Safari are a few of these. By changing the settings you can indirectly control what ciphers these applications are allowed to use. This tool works on all and every application that uses SCHANNEL whether they are client or server applications - as example: IIS, SQL Server, Internet Explorer, Safari and a lot of others.
  • 4. Usage  Options : Allows to enter the name of a remote Machine  Mode : Allows to choose from Normal or Advance mode – The advanced mode is documented in the section “Advanced Mode”  Export : Export/Backup all affected registry keys  PCI-DSS : Adjust the settings as to comply with PCI-DSS  Scan : Scans the host entered in “Settings – Remote host” Cipher suites Key exchange Protocols Hashes
  • 5. Protocols The protocol table shows the Protocols enabled or disabled on a Server/Client logic, to enable a protocol simply double click on the item you want enabled. Note: For Vista and up “Harden SSL/TLS” also automatically configures Windows Internet Settings with the correct settings. Note: Windows 7 and Windows 2008R2 come with TLS1.2 disabled by default, to enable it for IIS 7.5 just double click on the appropriate TLS 1.2 entry. Hashes List currently available hashes Key exchange List the currently available key exchange algorithms Cipher list The display and function of this list changes depending on the OS version.  Windows 2000, XP, Server 2003 The list allows you to enable/disable ciphers; if you disable an cipher it will not be available to the applications even if they request it.  Windows Vista/7/8, Server 2008/R2, Server 2012 The list allows you to enable/disabled and prioritizes cipher suites. The first item displayed is the preferred cipher for an SCHANNEL client or server, you can change this cipher to (as example AES 256) by pushing the UP and DOWN buttons, Harden SSL/TLS will keep a state map of which ciphers are, enabled, disabled and the their past and present order.
  • 6. Harden SSL/TLS 2013 6 Advanced Mode The advanced mode allows access to more advanced settings  P521 mode Microsoft removed default ECC P521 support after Vista and Server 2008, this options allows to re-enable and re-introduce ECC P521 mode for Windows7, Windows 8 and Windows Server 2012  Modulus 1 support (You probably do not want to enable this setting) When a Web server uses a certificate with an RSA public key exponent of 1, the private key exponent is also set to 1. If these conditions are present, the connection has no encryption security. Enabling this will configure your client/server to allow a connection to a Web server that uses a certificate with an RSA public key exponent of 1.  TLS/SSL Cache time out One reason for changing the default value for the SSL session cache is to force the client to authenticate more often. More frequent caching is sometimes useful, for example, if you want to reduce the computational effort (performance) or if you know that the client is using a smart card and you want the Web page to be accessible only when the user inserts the smart card in the reader. Before changing the SSL cache time-out interval, make sure that HTTP Keep-Alives are enabled (HTTP Keep-Alives are enabled by default). No secure session caching 0 (turns off session caching) 2 minutes (Windows NT 4) 120000 5 minutes (Windows 2000 ) 300000 10 hours (2000 SP2, XP, 2003,2008, 2008R2) 36000000
  • 7. Harden SSL/TLS 2013 7  TLS/SSL Cache size IIS maintains objects in memory to track each incoming Web connection. After five minutes of idle time, these objects are destroyed to reclaim resources. During this process, IIS purges the SSL/TLS session ID that the operating system caches from the session ID cache table. IIS also purges all the connection information that is negotiated between the client and the server. When a client tries to resume an SSL/TLS session by using the previous session ID, the server cannot locate the connection information in the cache. Therefore, the client must renegotiate the connection. Additionally, the client must obtain a new session ID. Increasing the cache size may reduce the cpu load but increases memory usage, each session cache element typically requires 2-4k bytes of memory Default 10.000 entries
  • 8. Harden SSL/TLS 2013 8 Known limitations  Initializes and sets the SCHANNEL settings to OS defaults at first startup Change log 2011  Fixed Protocol initialization on Vista/Seven/2008/2008R2 (Reported by Adrian F. Dimcev)  Fixed TLS 1.1 displayed on Vista/2008 (Reported by Adrian F. Dimcev) 2013  Added Windows 8 support  Added Windows Server 2012 support  Resolved an issue around P521 additions Download Harden SSL/TLS can be found under http://www.g-sec.lu/products.html http://blog.zoller.lu Limitation of Liability In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts), shall Thierry Zoller or G-SEC .ltd be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses),even if such Contributor has been advised of the possibility of such damages.