tls密码套件_如何更新Windows Server密码套件以获得更好的安全性

时间  2021-01-03 标签 网络 java python linux 安全
tls密码套件

tls密码套件

Diagram of Enigma Machine Logic

You run a respectable website that your users can trust. Right? You might want to double check that. If your site is running on Microsoft Internet Information Services (IIS), you might be in for a surprise. When your users try to connect to your server over a secure connection (SSL/TLS) you may not be providing them a safe option.

您经营着一个您的用户可以信任的受人尊敬的网站。 对? 您可能需要再次检查。 如果您的站点在Microsoft Internet信息服务(IIS)上运行,您可能会感到惊讶。 当您的用户尝试通过安全连接(SSL / TLS)连接到服务器时,您可能没有向他们提供安全选项。

Providing a better cipher suite is free and pretty easy to setup. Just follow this step by step guide to protect your users and your server. You’ll also learn how to test services you use to see how safe they really are.

提供更好的密码套件是免费的,并且很容易设置。 只需按照逐步指南进行操作即可保护您的用户和服务器。 您还将学习如何测试所使用的服务,以了解它们的真正安全性。

为什么您的密码套件很重要 (Why Your Cipher Suites are Important)

Microsoft’s IIS is pretty great. It’s both easy to setup and maintain. It has a user friendly graphical interface that makes configuration a breeze. It runs on Windows. IIS really has a lot going for it, but really falls flat when it comes to security defaults.

微软的IIS非常棒。 设置和维护都很容易。 它具有易于使用的图形界面,使配置变得轻而易举。 它在Windows上运行。 IIS确实有很多用处,但是在安全默认值方面确实没有什么用。

iis_sshot-7

Here’s how a secure connection works. Your browser initiates a secure connection to a site. This is most easily identified by a URL starting with “HTTPS://”. Firefox offers up a little lock icon to illustrate the point further. Chrome, Internet Explorer, and Safari all have similar methods of letting you know your connection is encrypted. The server you’re connecting to replies to your browser with a list of encryption options to choose from in order of most preferred to least. Your browser goes down the list until it finds an encryption option it likes and we’re off and running. The rest, as they say, is math. (No one says that.)

这是安全连接的工作方式。 您的浏览器将启动到站点的安全连接。 最容易通过以“ HTTPS://”开头的URL进行标识。 Firefox提供了一个小锁图标来进一步说明这一点。 Chrome,Internet Explorer和Safari都有相似的方法,可以让您知道连接已加密。 您要连接的服务器会用最优先到最少的加密选项列表来回复浏览器。 您的浏览器会从列表中移出,直到找到喜欢的加密选项,然后我们就可以运行了。 正如他们所说,其余的都是数学。 (没人这么说。)

The fatal flaw in this is that not all of the encryption options are created equally. Some use really great encryption algorithms (ECDH), others are less great (RSA), and some are just ill advised (DES). A browser can connect to a server using any of the options the server provides. If your site is offering up some ECDH options but also some DES options, your server will connect on either. The simple act of offering up these bad encryption options makes your site, your server, and your users potentially vulnerable. Unfortunately, by default, IIS provides some pretty poor options. Not catastrophic, but definitely not good.

致命的缺陷是,并非所有加密选项均被平等创建。 有些使用非常好的加密算法(ECDH),有些则不太好用(RSA),而有些则不建议使用(DES)。 浏览器可以使用服务器提供的任何选项连接到服务器。 如果您的站点提供了一些ECDH选项,但是还提供了一些DES选项,则服务器将在其中一个上进行连接。 提供这些错误的加密选项的简单行为使您的站点,服务器和用户容易受到攻击。 不幸的是,默认情况下,IIS提供了一些非常差的选项。 不是灾难性的,但绝对不好。

如何看待你站在哪里 (How to See Where You Stand)

Before we start, you might want to know where your site stands. Thankfully the good folks at Qualys are providing SSL Labs to all of us free of charge. If you go to https://www.ssllabs.com/ssltest/, you can see exactly how your server is responding to HTTPS requests. You can also see how services you use regularly stack up.

在开始之前,您可能想知道网站的位置。 值得庆幸的是,Qualys的好伙伴正在向我们所有人免费提供SSL Labs。 如果访问https://www.ssllabs.com/ssltest/ ,则可以确切地看到您的服务器如何响应HTTPS请求。 您还可以查看如何定期使用服务。

Qualys SSL Labs Test Page

One note of caution here. Just because a site doesn’t receive an A rating doesn’t mean the folks running them are doing a bad job. SSL Labs slams RC4 as a weak encryption algorithm even though there are no known attacks against it. True, it is less resistant to brute force attempts than something like RSA or ECDH, but it isn’t necessarily bad. A site may offer an RC4 connection option out of necessity for compatibility with certain browsers so use the sites rankings as a guideline, not an iron clad declaration of security or lack thereof.

此处请注意。 仅仅因为一个站点没有获得A评级,并不意味着运行它们的人做得不好。 即使没有已知的攻击,SSL Labs也会将RC4视为弱加密算法。 的确,与RSA或ECDH之类的东西相比,它对暴力破解的抵抗力较小,但不一定坏。 一个站点可能出于与某些浏览器的兼容性的需要而提供了RC4连接选项,因此请使用站点排名作为指导,而不是明确声明安全性或缺乏安全性。

更新密码套件 (Updating Your Cipher Suite)

We’ve covered the background, now let’s get our hands dirty. Updating the suite of options your Windows server provides isn’t necessarily straightforward, but it definitely isn’t hard either.

我们已经介绍了背景,现在让我们动手吧。 更新Windows服务器提供的选项套件不一定很简单,但是也绝对不难。

iis_sshot-1

To start, press Windows Key + R to bring up the “Run” dialogue box. Type “gpedit.msc” and click “OK” to launch the Group Policy Editor. This is where we’ll make our changes.

首先,按Windows键+ R弹出“运行”对话框。 键入“ gpedit.msc”,然后单击“确定”以启动组策略编辑器。 这是我们进行更改的地方。

iis_sshot-2

On the left hand side, expand Computer Configuration, Administrative Templates, Network, and then click on SSL Configuration Settings.

在左侧,展开“计算机配置”,“管理模板”,“网络”,然后单击“ SSL配置设置”。

iis_sshot-3

On the right hand side, double click on SSL Cipher Suite Order.

在右侧,双击SSL Cipher Suite Order。

By default, the “Not Configured” button is selected. Click on the “Enabled” button to edit your server’s Cipher Suites.

默认情况下,“未配置”按钮处于选中状态。 单击“启用”按钮以编辑服务器的密码套件。

iis_sshot-5

The SSL Cipher Suites field will fill with text once you click the button. If you want to see what Cipher Suites your server is currently offering, copy the text from the SSL Cipher Suites field and paste it into Notepad. The text will be in one long, unbroken string. Each of the encryption options is separated by a comma. Putting each option on its own line will make the list easier to read.

单击按钮后,“ SSL密码套件”字段将填充文本。 如果要查看服务器当前提供的密码套件,请复制SSL密码套件字段中的文本并将其粘贴到记事本中。 文本将以不间断的长字符串形式出现。 每个加密选项均以逗号分隔。 将每个选项放在自己的行上将使列表更易于阅读。

You can go through the list and add or remove to your heart’s content with one restriction; the list cannot be more than 1,023 characters. This is especially annoying because the cipher suites have long names like “TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384”, so choose carefully. I recommend using the list put together by Steve Gibson over at GRC.com: https://www.grc.com/miscfiles/SChannel_Cipher_Suites.txt.

您可以浏览列表,并添加或删除您的心脏内容,但有一个限制; 列表不能超过1,023个字符。 这尤其令人讨厌,因为密码套件的名称很长,例如“ TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384”,因此请谨慎选择。 我建议使用史蒂夫·吉布森(Steve Gibson)在GRC.com上汇总的列表: https ://www.grc.com/miscfiles/SChannel_Cipher_Suites.txt。

Once you’ve curated your list, you have to format it for use. Like the original list, your new one needs to be one unbroken string of characters with each cipher separated by a comma. Copy your formatted text and paste it into the SSL Cipher Suites field and click OK. Finally, to make the change stick, you have to reboot.

整理好清单后,您必须对其进行格式化才能使用。 与原始列表一样,新列表必须是一个不间断的字符串,每个密码都用逗号分隔。 复制格式化的文本并将其粘贴到“ SSL Cipher Suites”字段中,然后单击“确定”。 最后,要使更改生效,您必须重新启动。

With your server back up and running, head over to SSL Labs and test it out. If everything went well, the results should give you an A rating.

备份并运行服务器后,转到SSL Labs进行测试。 如果一切顺利,结果应该会给您A评级。

iis_sshot-6

If you would like something a little more visual, you can install IIS Crypto by Nartac (https://www.nartac.com/Products/IISCrypto/Default.aspx). This application will allow you to make the same changes as the steps above. It also lets you enable or disable ciphers based on a variety of criteria so you don’t have to go through them manually.

如果您想获得更多视觉效果,可以通过Nartac( https://www.nartac.com/Products/IISCrypto/Default.aspx )安装IIS Crypto。 此应用程序将允许您进行与上述步骤相同的更改。 它还允许您根据各种条件启用或禁用密码,因此您不必手动检查密码。

No matter how you do it, updating your Cipher Suites is an easy way to improve security for you and your end users.

无论您怎么做,更新密码套件都是提高您和最终用户安全性的简便方法。

翻译自: https://www.howtogeek.com/221080/how-to-update-your-windows-server-cipher-suite-for-better-security/

tls密码套件

联系我们 沪ICP备2021010478号-7