Require 128-bit Encryption for HTTPS Traffic with ISA Server 2006 (Part3)
In my blog Require 128-bit Encryption for HTTPS Traffic with ISA Server 2006 (Part2) we analysed what the setting Require 128-bit encryption for HTTPS traffic really means and how it works. By default the Web Proxy component on ISA checks for every HTTPS request if the secure channel used to pass that request has a strong Cipher Suite (at least 128-bit encryption) as property. However, it does *not* prevent the setup of a secure channel with a weak Cipher Suite.
In this last part, we extended the second scenario as outlined in part 2 of this blog series by adding an authentication scheme to that scenario, be it on the web listener or on the web publishing rule. First we tested this new scenario with Basic authentication and were very astonished we got an authentication prompt as shown below:
Only *after* a successful authentication, we saw the expected IE error page: "Error Code: 403 Forbidden. The page requires 128-bit encryption, an enhanced security mechanism. To view the page contents, use a browser that supports this enhanced encryption (12212)". Straightaway we tested this scenario with Forms Based authentication and got the same result. Hmm... this means that the authentication is done over a secure channel with a weak Cipher Suite! 🙁
We contacted Microsoft PSS and logged a case for this issue. The outcome is that the ISA developers confirmed my observations and that they are a result of a limitation in the current ISA Server 2004/2006 versions. The good news is that this behavior will change in ISA Server 2006 SP1. For the current ISA 2006 version and all ISA 2004 versions up to and including SP3, you should implement the workaround I mentioned in part 2 of this blog series. Also, this issue will be documented in the upcoming KB Article 937293.
In conclusion, we can say that rolling out KB Article 245030 into all ISA installations to disable the weak SSL/TLS Cipher Suites should be part of the standard hardening exercise for any ISA Server. You can apply the following registry file to accomplish that:
REGEDIT4 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56] “Enabled”=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL] “Enabled”=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128] “Enabled”=dword:ffffffff [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128] “Enabled”=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128] “Enabled”=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128] “Enabled”=dword:ffffffff [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128] “Enabled”=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128] “Enabled”=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128] “Enabled”=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168] “Enabled”=dword:ffffffff