derTest.org jetzt auch in HD – nein per SSL

… bzw. eher derTest.org jetzt auch in HD per SSL erreichbar – Juhu!

Da Host Europe scheinbar still und heimlich für die Produkte „WebPack“ den SSL Proxy rausgeschmissen hat und dafür die Möglichkeit bietet erschwingliche Zertifikate zu erwerben, habe ich diesen Umstand doch gleich genutzt und mir bzw. dem Blog derTest.org ein SSL Zertifikat für 30€ / Jahr gegönnt.

Daraufhin noch kurzerhand den HSTS Header (Strict Transport Security Header) in der „function.php“ des Themes hinzugefügt, die Basis URL des Blogs auf https://derTest.org geändert sowie in der .htaccess einen HTTP-Redirect (301, Moved Permanently) eingerichtet…

Functions.php (Relevanter Ausschnitt für HSTS):

...
add_action( 'send_headers', 'tgm_io_strict_transport_security' );
/**
 * Enables the HTTP Strict Transport Security (HSTS) header.
 *
 * @since 1.0.0
 */
function tgm_io_strict_transport_security() {
 
    header( 'Strict-Transport-Security: max-age=157680000' );
 
}
...

.htaccess (Ausschnitt der .htaccess):

...
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</IfModule&amp;amp>
...

… und siehe da:

Windows Server 2008 R2 / Windows Server 2012 (R2) IIS 7.5 / IIS 8 Perfect Forward Secrecy / TLS 1.2 konfigurieren

Was tun wir?

  • deaktivieren der unsicheren Protokolle (SSL v3 / v2)
  • Aktivieren von Transport Layer Security (TLS v1.2 / v1.1 / v1.0)
  • Unsichere Cipher (RC 2 / RC 4 / DES) deaktivieren / sichere aktivieren (AES / Triple DES)
  • Hashes entsprechend konfigurieren (MD5 deaktivieren / SHA aktivieren)
  • Sicheren Schlüsselaustausch einrichten (Diffie-Hellman / PKCS / ECDH)
  • Perfect Forward Secrecy (PFS) aktivieren
  • Das Script als TXT Datei befindet sich unter dem PowerShell Code
  • Nach Ausführung des Scripts muss der Server neu gestartet werden
# Unsichere Protokolle deaktivieren; Sichere aktivieren
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols", $true).CreateSubKey("SSL 3.0\Server")
$key.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols", $true).CreateSubKey("SSL 2.0\Server")
$key.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols", $true).CreateSubKey("SSL 3.0\Client")
$key.SetValue("DisabledByDefault", 1, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols", $true).CreateSubKey("SSL 2.0\Client")
$key.SetValue("DisabledByDefault", 1, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols", $true).CreateSubKey("TLS 1.0\Server")
$key.SetValue("Enabled", 0xffffffff, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key.SetValue("DisabledByDefault", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols", $true).CreateSubKey("TLS 1.1\Server")
$key.SetValue("Enabled", 0xffffffff, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key.SetValue("DisabledByDefault", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols", $true).CreateSubKey("TLS 1.2\Server")
$key.SetValue("Enabled", 0xffffffff, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key.SetValue("DisabledByDefault", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0", $true).CreateSubKey("Client")
$key.SetValue("Enabled", 1, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key.SetValue("DisabledByDefault", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1", $true).CreateSubKey("Client")
$key.SetValue("Enabled", 1, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key.SetValue("DisabledByDefault", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2", $true).CreateSubKey("Client")
$key.SetValue("Enabled", 1, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key.SetValue("DisabledByDefault", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols", $true).CreateSubKey("Multi-Protocol Unified Hello\Server")
$key.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols", $true).CreateSubKey("PCT 1.0\Server")
$key.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols", $true)
$key.SetValue("AllowInsecureRenegoClients", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols", $true)
$key.SetValue("DisableRenegoOnServer", 1, [Microsoft.Win32.RegistryValueKind]::DWORD)
 
# Unsichere Cipher deaktivieren (Win XP / >IE8); Sichere aktivieren
# Unsicher
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL", $true).CreateSubKey("Ciphers\NULL")
$key.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers", $true).CreateSubKey("DES 56\56")
$key.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers", $true).CreateSubKey("RC2 40\128")
$key.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers", $true).CreateSubKey("RC2 56\128")
$key.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers", $true).CreateSubKey("RC2 128\128")
$key.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers", $true).CreateSubKey("RC4 40\128")
$key.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers", $true).CreateSubKey("RC4 56\128")
$key.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers", $true).CreateSubKey("RC4 64\128")
$key.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers", $true).CreateSubKey("RC4 128\128")
$key.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
 
# Sicher
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers", $true).CreateSubKey("AES 128\128")
$key.SetValue("Enabled", 0xffffffff, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers", $true).CreateSubKey("AES 256\256")
$key.SetValue("Enabled", 0xffffffff, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers", $true).CreateSubKey("Triple DES 168\168")
$key.SetValue("Enabled", 0xffffffff, [Microsoft.Win32.RegistryValueKind]::DWORD)
 
# Unsichere Hashes deaktivieren; Sichere aktivieren
# Unsicher
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL", $true).CreateSubKey("Hashes\MD5")
$key.SetValue("Enabled", 0, [Microsoft.Win32.RegistryValueKind]::DWORD)
 
# Sicher
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes", $true).CreateSubKey("SHA")
$key.SetValue("Enabled", 0xffffffff, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes", $true).CreateSubKey("SHA256")
$key.SetValue("Enabled", 0xffffffff, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes", $true).CreateSubKey("SHA384")
$key.SetValue("Enabled", 0xffffffff, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes", $true).CreateSubKey("SHA512")
$key.SetValue("Enabled", 0xffffffff, [Microsoft.Win32.RegistryValueKind]::DWORD)
 
# Sicheren Schlüsselaustausch aktivieren
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL", $true).CreateSubKey("KeyExchangeAlgorithms\Diffie-Hellman")
$key.SetValue("Enabled", 0xffffffff, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms", $true).CreateSubKey("PKCS")
$key.SetValue("Enabled", 0xffffffff, [Microsoft.Win32.RegistryValueKind]::DWORD)
$key = (get-item HKLM:\).OpenSubKey("SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms", $true).CreateSubKey("ECDH")
$key.SetValue("Enabled", 0xffffffff, [Microsoft.Win32.RegistryValueKind]::DWORD)
 
# PFS Aktivieren
$key = (get-item HKLM:\).OpenSubKey("SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL", $true).CreateSubKey("00010002")
$key.SetValue("Functions", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA")

Download des Powershell Script zum absichern des IIS (Nach dem Download von .txt in .ps1 umbenennen): IIS_ab_7_5_TLS1_2_PFS

Alternativ (und vermutlich immer aktueller): IIS Crypto von Nartac.