78fcd8a8-18af-49f4-8a64-bccb901e5557
Security: must implement protection methods such as TLS, encrypted VPNs, or IPsec if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. TLS/SSL Insecure Ciphers (SCHANNEL)
This script checks whether insecure protocols are still enabled: SSLV2.0 / SSLV3.0 / TLS 1.0 / TLS 1.1 / RC4.
Known insecure cipher protocols should be disabled but keep in mind that some applications other than web browsers may still rely on older ciphers such as TLS 1.0.
Guide to disable insecure cipher protocols: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs
More information and recommendations on insecure cipher protocols: https://www.acunetix.com/blog/articles/tls-ssl-cipher-hardening
STIG
IIS10: https://system32.eventsentry.com/stig/viewer/V-218821 / https://system32.eventsentry.com/stig/viewer/V-218822
Server:
2022: https://system32.eventsentry.com/stig/viewer/V-254263
2019: https://system32.eventsentry.com/stig/viewer/V-205829
PCI-DSS v4.0.1: 4.2.1
NIST 800-171 rev2: 3.13.8
NIST 800-171A: 3.13.8[a], 3.13.11
NIST 800-171 rev3: 03.13.08
NIST 800-171A rev3: A.03.13.08[01], A.03.13.11
NIST 800-53 rev4: SC-8, SC-8(1)
NIST 800-53 rev5: SC-8, SC-8(1)
A.03.13.11.ODP[01]"
We created a PowerShell Script to automatically disable all insecure ciphers. It can be found at our github repository here https://github.com/eventsentry/scripts/blob/main/disable_insecure_ciphers.ps1
Manage your cookie preferences below:
To learn more about our use of cookies, please see our
Privacy Policy.