Website security

It seems strange to me that web servers don’t offer the highest levels of security they can by default, only stepping down to lower levels of security if the connecting client doesn’t support it.

Obviously if the server is running on an older platform, such as Windows Server 2003, they may not support newer security standards by default, but in a lot of cases patches have been released to allow support for the newer standards. So, what do you do if you you’re running a Server 2003 platform which is hosting websites that you can’t move for some reason, but you still want to be able to connect to securely?

Well…

  1. Firstly, visit Microsoft and install this Hotfix on your Server 2003 server: http://support.microsoft.com/kb/948963
  2. Click Start > Run
  3. Type regedit and click OK
  4. Navigate to HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers
  5. In the AES 128/128 sub-key created a new DWORD called Enabled and set its value to 0
  6. Reboot the server

This will disable AES128 and cause your 2003 server to use AES256 by default instead, providing increased security to connecting clients.

2k3-regedit

So what about if you want to use a higher level of SSL/TLS, given that v1.0 of these protocols have been compromised, and so could potentially release secure information to a hacker?

  1. Click Start > Run
  2. Type regedit and click OK
  3. Navigate to HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
  4. Add the keys TLS 1.1 and TLS 1.2
  5. Within these two keys, add the keys Client and Server
  6. Within each of the four newly created keys, create the following DWORD values:
    1. DisabledByDefault – 0
    2. Enabled – 1
  7. Reboot the server

tls-12-regedit

After this, you may need to modify the security settings in your browser to take advantage of the new security protocols. In Internet Explorer click Tools > Internet Options and select the Advanced tab, ensuring that the required SSL/TLS options are selected:

ie-advanced-options

In order to do this in Firefox / Waterfox follow the steps below:

  1. Open a new tab and browse to about:config
  2. Accept the warning, if prompted
  3. In the search box type: security.tls
  4. Right-click the option security.tls.version.max and choose Modify
  5. Supply the required max supported version of TLS
  6. Restart your browser

waterfox-config

This will allow users to continue to connect to your website using up-to-date security protocols, and as a user you can be sure that your browser is connecting to other secure websites using the best security that it can.

I hope this helps site admins out there, but if there’s anything else, please feel free to leave a comment.

Share and Enjoy:
  • Digg
  • StumbleUpon
  • Technorati
  • del.icio.us
  • Twitter
  • blogmarks
  • HackerNews
  • Tumblr
  • Posterous
  • email
Bookmark the permalink. Follow any comments here with the RSS feed for this post.
Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Your email address will not be published. Required fields are marked *

This blog is kept spam free by WP-SpamFree.