Disable Weak Algorithms - 128 bit encryption enforced
I recently did an implementation of ISA Server 2006 in a SharePoint farm. The server was being utilized as a Reverse Proxy in the DMZ. Security was a key element in this project so after implementation there was some penetration testing completed. That revealed my server was allowing the availability of weak support SSL Ciphers. I'll have to admit that this is something that I had never taken into consideration before. None the less, it was a good thing to learn so I'm sharing it here.
Disabling weak algorithms enforces 128 bit encryption for Forms-based authentication. If you don't make these registry changes, a 56 bit SSL connection for Forms-based authentication could be established. For example, if your client does not support 128 bit, the HTTPS listener will transfer the data (user credentials) over a connection that is weakly encrypted. (Even if the listener was configured to have 128 bit encryption enforced!).
To truly enforce the 128 bit encryption, you need to make a few registry edits (see below) that will disallow weak algorithms.
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56] "Enabled"=dword:00000000
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128] "Enabled"=dword:00000000
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128] "Enabled"=dword:00000000
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128] "Enabled"=dword:00000000
Open your registry editor, and navigate to the the above entries. For each weak cipher, you need to add a DWORD with a name of Enabled and a value of 0.