For better or worse, my life revolves around PCI-DSS these days. As I move along through the realm of PCI-Compliance, I thought I would start sharing some observations. I am going to start today with two standards that should be implemented to save you a lot of time and energy. If you have these in place before you start your vulnerability scanning, you won’t have to deal with an avalanche of results from these issues.
1. Disable SSHv1 Support. Version 1 of the SSH protocol is prone to a number of issues. For this reason, it has been essentially abandoned in favour of SSHv2. I have included instructions for disabling SSHv1 in a few of the more common setups.
a. OpenSSH
i. Edit the sshd_config file. This file is normally located in /etc/ssh/ .
ii. Change the line that reads Protocol 1,2 so that it instead reads Protocol 2
iii. Restart the SSHD Service
b. Cisco
i. Enter the command ip ssh version 2
ii. This will enable SSH v2 and disable SSH v1 when SSH is already configured.
c. F5 Big-IP 4.x
i. Log in to the BIG-IP command line.
ii. Change directories to the /config/ssh directory by typing the following command:
iii. cd /config/ssh
iv. Use a text editor to edit the sshd_config file.
v. Edit the Protocol entry used to configure the SSH versions supported by sshd daemon by replacing #Protocol 2,1with Protocol 2.
vi. Save the sshd_config file.
vii. Restart sshd by typing the following command:
viii. bigstart restart sshd
2. Enforce Strong SSL Encryption. There is a little more to this step than the previous one. Enforcing strong Cryptographic standards in general is extremely important. Right now we’re just going to talk about how to enforce proper usage of SSL on IIS and apache web servers.
a. Apache 2.x
i. Disable SSL 2.0 support
ii. Disable weak ciphers
iii. Disable MD5 Hashing for MAC
iv. Disable Null Authentication
v. To accomplish this include the following lines in the httpd.conf file:
· SSLProtocol –ALL +SSLv3 +TLSv1
· SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!MD5:!EXP:RC4+RSA:+HIGH:+MEDIUM
b. Windows/IIS
i. Enforce the use of SSL 3.0 and TLS by disabling support for PCT 1.0 and SSL 2.0
1. Find HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\PCT 1.0\Server in the registry
2. Add a new DWORD called ‘Enabled’ and set this to 0x00000000
3. Find HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 2.0\Server
4. Add a new DWORD called ‘Enabled’ and set this to 0x00000000
ii. Disable all weak(less than 128-bit) ciphers
1. Add a DWORD value called “Enabled”, set to 0x000000 to the following keys:
2. SCHANNEL\Ciphers\RC4 128/128
3. SCHANNEL\Ciphers\RC2 128/128
4. SCHANNEL\Ciphers\RC4 64/128
5. SCHANNEL\Ciphers\RC4 56/128
6. SCHANNEL\Ciphers\RC2 56/128
7. SCHANNEL\Ciphers\RC4 40/128
8. SCHANNEL\Ciphers\RC2 40/128
9. SCHANNEL\Ciphers\NULL
iii. Add a DWORD value called “Enabled”, set to 0xffffffff to the following keys:
1. SCHANNEL\Ciphers\DES 56/56
2. SCHANNEL\Ciphers\Triple DES 168/168
3. SCHANNEL\KeyExchangeAlgorithms\PKCS
iv. Enforce the use of SHA hashes instead of MD5
1. Add a DWORD value called “Enabled”, set to 0x000000, to SCHANNEL\Hashes\MD5
2. Add a DWORD value called “Enabled”, set to 0xffffffff, to SCHANNEL\Hashes\SHA
v. A reboot of the Machine is now required for the changes to take effect.
These two little things can save you a huge amount of work if you implement them. When you go to run a PCI-DSS mandated vulnerability scan, these items will trip you up if you’re not careful. Get them implemented early; have them set as a standard, and save yourself a lot of headache.