Tools from www.gorlani.com/portal:
Netboar: free and effective network analysis tool. Similar to iftop
Mac Makeup: change (spoof) your mac address
TurnItOn: enable disabled controls
Peks: checksum verification and modification tool for PE executables
Evtbak: batch backup your local/remote Windows NT event log
MyGears: gear/speed calculator
CTI: calculate rally times
Pinta: free simple customizable Mailenable antispam plugin

www.gorlani.com and all of its contents are (c) by Marcello Gorlani

 


CipherControl

Someday, someone will come to you saying that you have big big problems.
All sorts of bad things are going to happen to you, and you’re doomed. This stranger probably run a security scanner of some type and identified that your SSL protected services (HTTPS, FTPS and so on) use some outdated or weak protocol.

I’m not going to discuss the fact these are attacks that can be run against your network, or the chances they have to succeed (just google around and find yourself). Simply, having found myself in this situation, and having Windows Servers to secure, I read some information on Microsoft website (all is summarized here: http://support.microsoft.com/kb/245030/en-us) and found the way to modify some registry keys to enable or disable these protocols.

To make it short, I also wrote CipherControl, a .NET 2.0 application that can modify local or remote SCHANNEL settings on servers ranging from Windows 2000 to Windows Server 2003 (Vista and Server 2008 are under testing).
This simplifies your network administrator life, not needing to remember which keys to change and in which way.

Usage


Well, you probably do not need lots of instructions to use CipherControl, by the way here are four simple steps:
  1.  Unzip the program on a machine with Microsoft .NET framework 2 runtime
  2. Start the program and type the name of the machine you need to connect to into the Server box and click Open
  3. If no problems arise connecting to that machine, just click the protocol, cipher, key exchange algorithm or hash function, and read the state of that item and if it is classified as not FIPS-140 compliant (as per http://support.microsoft.com/kb/245030/en-us). Just click enable or disable to change the state of the item
  4.  Restart the server and new settings will be used

Before changing any setting, it is recommended you backup your registry settings. This can be done running on a shell of the server:
reg export HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL backup.reg
To revert to original settings, just delete the HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL key and double click the backup.reg file.

License

This software is freeware. You can use it the way you want, as long as you don’t sell it. Needless to say, this software comes with no explicit or implicit warranty of any kind.

Download

Download it here. Last version is 1.1.0.2, MD5 hash of the zip file is 1E47E27A23BDB0BA2776DD82E47EE2D7 (and yes, I know MD5 is terribly insecure...)

Other

You can easily check the enormous holes in your SSL setup by running a remote scan from Serversniff or downloading SSL Digger

You can drop me a note about CipherControl via the forum or this form.


Tools from www.gorlani.com/portal:
Netboar: free and effective network analysis tool. Similar to iftop
Mac Makeup: change (spoof) your mac address
TurnItOn: enable disabled controls
Peks: checksum verification and modification tool for PE executables
Evtbak: batch backup your local/remote Windows NT event log
MyGears: gear/speed calculator
CTI: calculate rally times
Pinta: free simple customizable Mailenable antispam plugin

www.gorlani.com and all of its contents are (c) by Marcello Gorlani