Due to a flurry of questions about DROWN and PROXY Pro, we’ve decided to use this as an opportunity to publish some guidelines and recommendations in and around securing an installation of the PROXY Pro Gateway/Web Console server. The web site that we’ve been using as the arbiter of “best practices” is the Qualys SSL Labs site. This site will contact any publicly addressable site/application on port 443 (only) and evaluate the SSL configuration found there. By exposing either IIS or Gateway Server on a public port 443, tests can be run against our software.
In Windows, SSL support is handled in a module called “SChannel”. This module and its configuration is global on the machine, and therefore changing the configuration to secure Web Console changes the configuration for all applications on the machine. As a result, we don’t think it’s appropriate that the PROXY installers change this global machine configuration, but it is our responsibility to call the administrator’s attention to the issue, and provide guidance on how to establish a good configuration.
Microsoft’s guidance on configuring Windows is in their Support Knowledge Base article # 245030. Unfortunately, this does not guidance on what configuration should be used, and instead documents a very large number of registry keys that can be modified to change the configuration. We felt that this article wasn’t useful as-is. Fortunately, a software consulting company called Nartac Software had this same issue, and has developed a utility program called IIS Crypto to address it. The software is available freely on their web site here.
We’d like to recommend that Private Cloud Edition customers follow these steps:
- On the server machine to be configured, log into Windows as an administrative user of the machine.
- Download the tool from https://www.nartac.com/Products/IISCrypto/(or access an already downloaded copy from somewhere).
- Run the tool, and click the “Best Practices” button.
- In the “Hashes Enabled” list, uncheck MD5 if it remained checked. This a recent change to “best practices” guidance.
- Optionally, in the “Ciphers Enabled” list, uncheck “Triple DES 168/168” if it remained checked. This disables the shortest key length (112 bits), and ensures AES either 128 or 256 bit is used.
- Click Apply.
- Click the Close box in the upper-left hand corner of the window to close the utility.
- Restart the machine. This is very important – the utility doesn’t force or prompt for a restart, but the configuration changes will not take effect until after the machine is restarted.
That’s it! This is a one-time machine configuration change, at least until SSL best practices change again. Note well that this configures the SERVER side of SSL configurations only, so there’s only value in doing this on machines that have SSL-based servers that use the Microsoft SChannel implementation. This specifically includes Internet Information Services (IIS) hosting Web Console, but excludes the Gateway Server, which uses OpenSSL for its SSL support.