Security

IIS Crypto 1.3 Released

A new version of IIS Crypto has been released. This new version adds in a BEAST template to re-order the SSL cipher suite putting RC4 at the top to mitigate the attack. We have also added .Net 4.0 binaries for Windows 2012 as it does not install .Net 2.0 by default.

14 thoughts on “IIS Crypto 1.3 Released

    1. I too have just been flagged by a PCI scan. Apparently they've just added it as last month's scan was fine. Looking at v1.3 build 4, I don't see the BEAST template. I've only got Defaults, PCI & FIPS 140-2

      Is this because I'm running IIS6 on ws2003? It seems from the IIScrypto page, that I should be able to run it for ws2003 but don't see how.

      Like

    2. Hey Jay,

      Unfortunately Windows 2003 does not allow you to reorder the cipher suites as they are hard coded. IIS Crypto 1.3 does an OS version check and hides the cipher suite order and BEAST button.

      – Jeff

      Like

    3. Figured as much. So is their any mitigation for 2003 or do I get to spend the holidays setting up a new server?

      Thx for the quick reply..

      Like

    4. The thing is, MS12-006 does patch this on Windows 2003:

      http://technet.microsoft.com/en-us/security/bulletin/ms12-006

      However, all of these scans are simply looking for RC4 to be at the top of the list. If they see CBC being offered, they will fail. Even if your server has already been patched.

      Personally I have never had much success migrating from 2003 to 2008 (or 2012 for that matter). I've always done a clean install myself. Pain in the butt.

      Like

    5. I've tried your build 1.3 build 4 recently and noticed that although it adds the TLS 1.1 and TLS 1.2 registry keys with the Server subkey, it is not adding the Client subkey under these protocols with the Enabled DWORD value.

      Also, when I click the BEAST or PCI button and it reorders the cipher suites in the interfaace where does this go? Recommended approach is to change local group policy setting to enable SSL Cipher Suite Ordering and then specify the order, but your tool does not seem to change it there.

      Like

    6. Hey Angela,

      It does not set the client keys as this is meant to be a server side tool. I can look at adding this for the next build.

      When IIS Crypto reorders the cipher suite, it sets the following key:

      HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002

      This is the same key that gpedit updates.

      – Jeff

      Like

    7. I faild PCI scan due to the BEAST. If I use your tool and choose the "Beast" config button, will this restrict any users from interfacing with our site?

      Like

    8. Clicking BEAST fixes the problem, but RDP does not work after that. Clicking the PCI button after BEAST, so after the RDP didn't work anymore, does fix the RDP problem, but of course the PCI scan fails. Any way that you know of to make both work?

      Like

    9. Jeff,

      Yes, basically I clicked the BEAST button and restarted. The PCI compliance passed, but I could not longer log in with RDP. I then went back (KVM) and clicked on the PCI button and restarted. I then was able to use RDP, but the scan failed. I have the RDP configured to use FIPS, if it matters. I will send a screenshot tomorrow. The server is Windows 2008 R2 64bit. Thanks.

      Like

    12. Hi,
      we keep failing the Trustwave PCI scans due to a BEAST treat. We have downloaded your software and clicked on the Beast button, then restarted the PC and run another test but it failed again. Do you know why this could be and what can we do to fix it?

      Thank you

      Like

Comments are closed.