Security: TLS/SSL Insecure Ciphers (SCHANNEL)

78fcd8a8-18af-49f4-8a64-bccb901e5557

Security: must implement protection methods such as TLS, encrypted VPNs, or IPsec if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. TLS/SSL Insecure Ciphers (SCHANNEL)

This script checks whether insecure protocols are still enabled: SSLV2.0 / SSLV3.0 / TLS 1.0 / TLS 1.1 / RC4.
Known insecure cipher protocols should be disabled but keep in mind that some applications other than web browsers may still rely on older ciphers such as TLS 1.0.

Remediation

Guide to disable insecure cipher protocols: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs

More information and recommendations on insecure cipher protocols: https://www.acunetix.com/blog/articles/tls-ssl-cipher-hardening

STIG

IIS10: https://system32.eventsentry.com/stig/viewer/V-218821 / https://system32.eventsentry.com/stig/viewer/V-218822

Server:
2022: https://system32.eventsentry.com/stig/viewer/V-254263
2019: https://system32.eventsentry.com/stig/viewer/V-205829

PCI-DSS v4.0.1: 4.2.1
NIST 800-171 rev2: 3.13.8
NIST 800-171A: 3.13.8[a], 3.13.11
NIST 800-171 rev3: 03.13.08
NIST 800-171A rev3: A.03.13.08[01], A.03.13.11
NIST 800-53 rev4: SC-8, SC-8(1)
NIST 800-53 rev5: SC-8, SC-8(1)

A.03.13.11.ODP[01]"

We created a PowerShell Script to automatically disable all insecure ciphers. It can be found at our github repository here https://github.com/eventsentry/scripts/blob/main/disable_insecure_ciphers.ps1