Saturday 17 October 2015

Securing your Windows server for secure web server publishing

I have been looking into securing our published websites for our newer builds quite recently. Found a neat site - Qualys SSL Labs which provides a SSL testing service.

I used this site to test our published HTTPS sites and found that most of them are insecure, and some scoring very badly :(. You can test your website at https://www.ssllabs.com/ssltest/. This will grade your site from A+ to F.

Generally with the newer versions of IIS (provided with 2012 onwards are generally okay), but it still leaves a lot to be desired. Running the test on my site provided feedback that we were supporting weak ciphers which can compromise secure communications. Currently with default settings our servers were scoring B-.

To remedy this, you should disable the following weak cipher suites on your published server:

  TLS_RSA_WITH_RC4_128_SHA
  TLS_RSA_WITH_RC4_128_MD5
  TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256
  TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384

To disable the weak ciphers, you will need to go into the local Group Policy editor, or create a new domain Group Policy, browse to 'Computer Configuration\Administrative Templates\Network\SSL Configuration Settings' and enable the 'SSL Cipher Suite Order'. This will populate the string with the default set of cipher suites. Copy this out to notepad and remove the weak cipher suites from the comma delimited string. This will enable the listed cipher suites in a preferred order.

There are a few references online for a preferred order. I'm personally using the list at hass.de (reference at bottom of post) to configure the cipher suite order. In the PowerShell script is the list of cipher suites, just copy this out and put it into the Group Policy.

Once you have enabled the policy and linked to the published server you will need to gpupdate and reboot the server. Once rebooted, you should be able to test your server at the Qualys SSL Labs server test page and score an A- grade.

To get A grading you will need to enable Perfect Forward Secrecy. This is where the great work done at hass.de comes into play. Use the script provided at hass.de (reference at bottom of post) and run it. This should disable the weak cipher suites and enable the secure ones. Coupled with the Group Policy this should get your published server to get an A rating on the server test.

One of the warning/errors you may receive is: Downgrade attack prevention No, TLS_FALLBACK_SCSV not supported, this cannot be currently resolved for IIS as TLS_FALLBACK_SCSV is not supported by IIS apparently, we will need to wait for this to be supported in the future.

Hope this helps in securing your servers! 

-HTTPS everywhere supporter.

Reference: https://www.hass.de/content/setup-your-iis-ssl-perfect-forward-secrecy-and-tls-12

Sunday 11 October 2015

Windows 10 Search not working after sysprep

I have recently been on a project rolling out Windows 10 to a client. A problem that we faced after building our Windows 10 image was the search function not working - or Cortana Search!

Our environment was setup with 2K12R2 servers and a WDS setup with unattend XMLs for configuration.

Everything went well until we tried searching after imaging a whole lab of machines... What a mistake that was.. Luckily after some Googlefu and urgent searching a result showed up for unattend XMLs and Cortana Search not working.

Long story short, don't use the CopyProfile parameter in your unattend XMLs as this somehow breaks the Cortana Search app and stops your search from working!

Good luck out there!

TLDR; Don't use the CopyProfile switch in your unattend XMLs. This breaks Cortana Search, only fix is to re-image the machine.