Information security is the link that requires the most attention and is the easiest to ignore, especially when some information security is related to system settings.
As a developer, you must know the information security precautions on program development, but not necessarily on the server, but sometimes developers need to manage the server. At this time, knowing some server information security settings will become important. Very important.
Taking https as an example, it was announced a few years ago that SSL 3.0 might be attacked Poodle ( Google discovered an SSL 3.0 vulnerability, be careful of “poodle” attacks! ), so our server should turn off the SChannel of SSL 3.0.
There are several troubles/difficulties in doing this:
- To turn off SSL 3.0, it can only be passed through
regedit. In other words, there is no easy way to do it. You can only complete the path of regedit and set it. - Another problem is that developers don’t know what should be turned off , so it may take a lot of time to find information to completely turn off unsafe SChannel.
Therefore, a software was born IIS Crypto that can help us quickly turn off some SChannel and Cipher
Software name: IIS Crypto
Download linkhttps://www.nartac.com/Products/IISCrypto/Download
Features
- freeware
- Close unsafe SChannel with one click
- Close unsafe Cipher Suite with one click
- Quickly check the website https security level
Usage:
Basically, it is very simple to use IIS Crypto, just run it, use it Best Practiseand select it Apply.
IIS Crypto is a software that everyone should have, and every Windows Server should be implemented and set to prevent some unsafe ciphers and SChannels from being used.
The best thing about this software is that even if you don’t know the problems, he has already defined some of the best suggestions for you, so you just need to set it up, and you don’t need to use it and then make a regedittypo to cause a setting error.
However, if you use some detection tools, such as SSL ServerTest through Qualys SSL Lab , you may still see the disabled cipher suite .
Why is this? So in the end how to verify whether the setting is successful? This article will introduce how to confirm whether the modification is successful through local detection.
Table of Contents
Cause
Sometimes the web machine itself is managed by us, but the entire architecture is not, so I don’t know if there is anything outside the server. From the examples I encountered, it is very likely that there is a layer of Web Application outside the server. Framework (WAF) leads to.
So even if the Server is set through IISCrypto, but if the outside one is not set, then when using the network service such as the test of ssl labs, the detection is actually the outside one, not the Server itself .
Solution – use the TestSSLServer tool to do local testing
Since you don’t know what is outside the server that may cause the online test to be inaccurate, you can use the tool local to directly test whether the machine is set successfully.
The tool I used at the beginning was: nmap – but I didn’t succeed in the test myself, and there are a lot of things that need to be installed (all for detection), so I gave up using it.
Last used: TestSSLServer .
TestSSLServer Tools Archive
- Official website
- Github
- Direct download link: .Net 2.0 version , .Net 4.0 version
(there is no difference in execution between the two versions, just use that version if the .net framework is available on the computer)
How to use TestSSLServer
This is a command line tool, after downloading it, use cmd to execute it.
The easiest way to use it is to type:TestSSLServer4.exe localhost
