Infohub‎ > ‎Projects‎ > ‎

CipherControl


Someday, someone will come to you saying that you have big big problems.
All sorts of bad things are going to happen to you, and you’re doomed. This stranger probably run a security scanner of some type and identified that your SSL protected services (HTTPS, FTPS and so on) use some outdated or weak protocol.

I’m not going to discuss the fact these are attacks that can be run against your network, or the chances they have to succeed (just google around and find yourself). Simply, having found myself in this situation, and having Windows Servers to secure, I read some information on Microsoft website (all is summarized here: http://support.microsoft.com/kb/245030/en-us) and found the way to modify some registry keys to enable or disable these protocols.

To make it short, I also wrote CipherControl, a .NET 2.0 application that can modify local or remote SCHANNEL settings on servers ranging from Windows 2000 to Windows Server 2003 (Vista and Server 2008 are under testing). 
This simplifies your network administrator life, not needing to remember which keys to change and in which way.

Usage

Well, you probably do not need lots of instructions to use CipherControl, by the way here are four simple steps:
 Unzip the program on a machine with Microsoft .NET framework 2 runtime
Start the program and type the name of the machine you need to connect to into the Server box and click Open
If no problems arise connecting to that machine, just click the protocol, cipher, key exchange algorithm or hash function, and read the state of that item and if it is classified as not FIPS-140 compliant (as per http://support.microsoft.com/kb/245030/en-us). Just click enable or disable to change the state of the item
 Restart the server and new settings will be used
Before changing any setting, it is recommended you backup your registry settings. This can be done running on a shell of the server: 
reg export HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL backup.reg
To revert to original settings, just delete the HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL key and double click the backup.reg file.
License

This software is freeware. You can use it the way you want, as long as you don’t sell it. Needless to say, this software comes with no explicit or implicit warranty of any kind.

Download it from the bottom of this page.

Other

You can easily check the enormous holes in your SSL setup by running a remote scan from Serversniff or downloading SSL Digger


ċ
CipherControl.zip
(210k)
Marcello Gorlani,
Jan 26, 2012, 5:51 AM