Topic: NT5 KB245030-3009008 IIS SSL registry tweaks, etc.

Note:  rough draught (3 so-far)  To be completed & download link added before a later date.

---------------------------------------
First, some background info:

A repost of http://forum.driverpacks.net/viewtopic. … 594#p57594

This issue is also relevant to those that use XPMode as well, BTW.
Perhaps we could refer to a statement (by perhaps number one fear-monger :lol):

Microsoft wrote:

"Important

    As of April 8, 2014, technical support for Windows XP and Windows XP Mode is no longer available, including updates that help protect your PC. This means that if you continue to use Windows XP or use Windows XP Mode on a Windows 7 PC after support ends, your PC might become more vulnerable to security risks and viruses. Therefore, to keep your Windows 7 PC secure after support ends, we recommend that you only use Windows XP Mode if your PC is disconnected from the Internet."

     quoted from:  http://windows.microsoft.com/en-us/wind … -windows-7

Here are some more aspects:

ChrisH wrote:

"I have XP-specific applications that won't run under wine or any later windows, as well as some windows-only applications, so for me an XP VM is an absolute requirement, which I've given some thought to.

You are at risk, but you can bring the risk down to an acceptable level by:

    1. Not browsing in the VM - do that in the host, copy files across as required.
    2. If there's some bizarre reason why you really must browse in the guest, throw all the browser-based security you can at it (strict noscript etc.) and only for the sites you really have to (and see item 4.).
    3. Cutting out all non-essential services from XP (especially network-related ones, but note that networking is used to share folders to the host.
    4. Running your VM from a file system that appears to be called immutable in the docs - it's reset to the starting conditions on shutdown. I asked about this here.
    5. or running still-supported security software on the guest (it's no use if you can't keep it up-to-date, which you can't if loads from immutable storage).
    6. Firewalling the VM on the host (which I haven't done properly yet, so can't go into more detail, but basically close all the ports to start with)."

     quoted from Apr 30 at 15:43:  http://askubuntu.com/questions/458306/v … e-browsing

Here is one possible reason for recommending a linux VM.  That is, the very nature of not only the OS, yet some of the malware itself.

Joshua Cannell wrote:

"It’s not uncommon for the malware of today to include some type of built-in virtual machine detection."

     quoted from:  http://blog.malwarebytes.org/intelligen … detection/

Joshua Cannell wrote:

"It’s not so much what it can do, rather, it doesn’t want to do anything. Since average PC users don’t run their OS within a VM, it’s suspicious to be running in a virtual environment from the malware’s standpoint, as it drastically increases the likelihood that’s being analyzed and/or reverse engineered. This is something the malware’s creator wants to prevent."

     quoted from:  http://blog.malwarebytes.org/intelligen … mment-5861

Of course, that doesn't preclude infection, just further aberrant behavior for the most part.
Virtual machine hosts can be vulnerable, even linux hosts.

ggalaxy wrote:

"A successful attack from Windows users will be as follows ;
    * You installed wine application in ubuntu
    * you forget to configure UFW (the firewall)
    * you unintentionally clicked on a malware link from your win xp virtual box
    * you opened ports and didn't secure them
. In your case, you are going to install WINDOWS XP in Virtual box, and VBox will create a disk image which will be impossible for users to get outside the disk image and mess with your Ubuntu, however, if you have wine in your ubuntu, and wrongly clicked a malware link from your Win XP virtual box, that will lead the attacker to your ubuntu and execute commands and harm your computer."

     quoted from Jan 9 at 20:21:  http://askubuntu.com/questions/403079/i … for-ubuntu

Apologies for not expanding upon security in VMWare.  Am hoping more people will offer insight.

Then again, there's the whole current flawed trust model.

Moxie Marlinspike wrote:

"Essentially, at some point a decision was made to anchor trust in an organization like Comodo, and now we’re locked into trusting them — forever."

     quoted from:  http://www.thoughtcrime.org/blog/ssl-an … henticity/

Dan Goodin wrote:

"Of 3.45 million real-world connections made to Facebook servers using the transport layer security (TLS) or secure sockets layer protocols, 6,845, or about 0.2 percent of them, were established using forged certificates. The vast majority of unauthorized credentials were presented to computers running antivirus programs from companies including Bitdefender, Eset, and others. Commercial firewall and network security appliances were the second most common source of forged certificates."

     quoted from:  http://arstechnica.com/security/2014/05 … tificates/

Few do think of updating those RootCerts & getting the current revocation update.  The RootCerts package is only an optional update for the masses, and curiously hasn't seen an update since before the HeartBleed revelation.

How long ago did schannel.dll (TLS/SSL) see an update?
  The latest i see for w2k is v5.1.2195.6960 from Apr 8, 2005.  That must be vulnerable in so many ways.
  The latest for xp is v5.1.2600.6370 from Mar 28, 2013, so that should be OK for at least a little while.  That seems to indicate pro-activity on MS's part.
  2k3's latest is v5.2.3790.5014 from June 4, 2012.  Curious that the supported OS has the older implementation, unless i have miscalculated the latest update for 2k3.  (25000 Servers a day need 2k3 updated before July of next year???)

  Is that the revision of schannel.dll in XPMode?

"Secure channel (aka SChannel) - Introduced in Windows 2000 and updated in Windows Vista to support stronger AES encryption and ECC [6] This provider uses SSL/TLS records to encrypt data payloads. (schannel.dll)"

     quoted from:  url=https://en.wikipedia.org/wiki/Secur … _Interface

  XP lacks support for stronger AES encryption and ECC?  I think the availability of something like P-521 or greater is something that should be available in today's day & age (especially in light of recent WPA2 vulnerabilities - recommendations of usage of greater complexity encryption at minimum.
There is an update for 2k3 to support AES256-SHA at least.  https://support.microsoft.com/kb/948963
  Perhaps one approach would be to disable support for the lowest and least secure ciphers.  See http://support.microsoft.com/kb/245030.  Those could go into the changelog.

Anyway, how should an advisory read (perhaps in addition to "* use at your own risk *" in networking packs) ?     hmm
  "Avoid networking entirely on Win2000 unless it is a private wired and isolated network.  XP/2k3 will eventually and not necessarily in succession receive the same recommendation."???

  Check the changelogs and see if you disagree moderately to vehemently against any statement within, please.

Integrating official updates into one's source does seem like another proactive approach.  Of course, that is a whole other kettle of fish.
  There are some recent KB updates for xp that so-far seemingly have improved usb stability/performance from textmode on.
  Wouldn't integrating KB network files & related inbuilt protocols/drivers, etc. offer one less flaws and greater stability than what is stock for XPMode?  (What is stock in a XPMode distro?  I don't know.)

Ooo, XP sees another update, one for SilverLight --> http://www.microsoft.com/en-us/download … x?id=42250
  Just as well --> http://arstechnica.com/security/2014/05 … -the-rise/

OK; thanks for reminding me about the first post.  Will decorate the changelogs and get that up.  No wonder that one seems so popular.  d'oh.      :u

   ...

CAPICOM is not preferred at all.

The MMC.exe snap-in for "IP Security Policies" allows one to enable PFS (as referenced in the Robert Love article above, iirc.) for kerberos.  It looks like it might be possible to restrict further unsecured and other insecure communication, but i'm so far uncertain the entire affected (mountain) range.

Disabling DES seems wise, though i see no option for adding TLS there (Bummer)  Disabling MD4 hashing there seems relevant too.
.  Kerberos is therefore best limited to 3DES, unless somebody has other ideas.

Is kerberos used for Windows Update?  Would PFS be supported on the other end of the connection?

---------------------------------------

Of course, WiFi drivers & other browsers may have their own security routines, and may or may not be affected by any of the aforementioned registry goodies.
    (FireFox/IceWeasel/etc-about:config-Security.TLS.VersionMinimum="1" = KB3009008)

There is also a (lite) OpenSSL package available as a Windows port

See MicrosoftFixit50588 for MS-CSSP via KB951608 info concerning the Credential Security Support Provider (CredSSP) in Windows XP Service Pack 3 is definately worthy of a gander (even if you are not from Newfoundland), imho (rotflmao).

The AutoPatcher community has some AAA-rated registry tweaks of their own, by the bye.
Lsa-LMhash/disallowAnonymous/AddLocalComputerToIEzones/etc/etc

Hasn't mdgx got some noteworthies as well?

   ...

Repost from http://forum.driverpacks.net/viewtopic. … 479#p58479:

Note that 5eraph's specific SA3009008 solution appears incomplete at best, and perhaps even erroneous.
Look at the last two lines of that post, where TLS 1.0 is "enabled" with a 0x01.  That is apparently incorrect.

Microsoft wrote:

"To allow this cipher algorithm, change the DWORD value data of the Enabled value to 0xffffffff. Or, change the DWORD data to 0x0. If you do not configure the Enabled value, the default is enabled."
     http://support.microsoft.com/kb/245030   see also:  http://support.microsoft.com/kb/187498 & http://support.microsoft.com/kb/811833

Is this not also true for protocols?

Hermann Wolf wrote:

"I also added the key SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56 with Enabled=1 and rebooted again bit the SSLScan.exe output is always the same"
     http://forums.iis.net/t/1187790.aspx

What of the value ""DisabledByDefault"=dword:00000001"?  I don't know which takes precedence.  RC4 128/128 disabling/undo should be included.  Win2k & 2k3 solutions are also missing thusfar.  Can AES work on XP?

  It does highlight the dire need for confirmation via testing.
There is a program that will test supported ciphers (except TLS 1.1 & 1.2).
  http://code.google.com/p/sslscan-win/
Here is some sample output, thanks to Wayne Zimmerman --> http://www.waynezim.com/2011/03/how-to- … rs-in-iis/

  Are there any UpdatePacks that include the full set of solutions?  I haven't seen any so far.  Correct me if i am wrong, please.

Outbreaker wrote:

... "people won't be able to connect to outdated HTTPS servers."

That is apparently actively being encouraged for servers.

Robert Love wrote:

"I advocate disabling SSLv3 support, which breaks Internet Explorer 6 on Windows XP, but prevents a downgrade attack for everyone else. If we're willing to drop support for all versions of Internet Explorer on Windows XP (Which likely just means the addition of IE 7 and 8), we can accomplish two other goals:
     http://blog.rlove.org/2014/04/the-end-o … p-and.html

  Also see:  http://blog.rlove.org/2013/12/strong-ssl-crypto.html


It's a bit of a sticky wicket, and it seems better to include it here as optional, as nobody other than 5eraph seems to have included any solution for NT5.
  I like to be able to confirm that the NULL cipher cannot be used with TLS 1.0 for instance, in my humble opinion.
  SSLScan seems to make that verification a little easier too.

Actually, as far as download is concerned,
  v1.0 is available here, in the LAN pack:
    --> http://forum.driverpacks.net/viewtopic. … 473#p58473  smile
  v2.0 to follow ...

Note:  there is no undo file for Harden_XP_TCPIP_Stack_by_GH0st.reg  hmm

Last edited by TechDud (2015-01-20 03:22:52)

Re: NT5 KB245030-3009008 IIS SSL registry tweaks, etc.

updatum abovum ^

From harkaz's "Welcome to Windows XP Service Pack 4":

Quote of harkaz:  "Windows XP SP4 security enhancements: Windows XP SP4 includes registry updates to enhance security. I want to thank Stefan Kanthak, a security expert who has kindly given me the necessary information. These security enhancements address issues not fixed by Microsoft updates.
This is an example of security vulnerabilities fixed by Stefan's registry updates: http://seclists.org/fulldisclosure/2013/Oct/151"
     quoted from:  http://www.ryanvm.net/forum/viewtopic.php?t=10321

Stefan Kanthak's registry updates also affect files referenced elsewhere in this topic.
  Highly recommended, unless you are already using harkaz's unofficial Windows XP Service Pack 4, as he already includes them, iirc.

Last edited by TechDud (2015-01-20 04:22:15)

Re: NT5 KB245030-3009008 IIS SSL registry tweaks, etc.

v2
·NT5_IIS_KB245030-3009008_Schannel_Registry_Mods_Jan23-2015.zip - 16.12 KB   DFF41B057D701D6BB487BD5148675717CD3FA3D1

* not for 2k3 or above

Last edited by TechDud (2015-01-25 09:31:40)

Re: NT5 KB245030-3009008 IIS SSL registry tweaks, etc.

Do you know what "Multi-Protocol Unified Hello" is doing? Google was not really helpful. smile

Re: NT5 KB245030-3009008 IIS SSL registry tweaks, etc.

Hope I'm replying in the proper thread.

TechDud wrote:

[quoted from: 2015-01-19 09:29:26 UTC]

@Outbreaker - please let 5eraph in on this.  It would be cool if he could use whatever he likes.  I look forward to eventually joining that community, but not at this time.  We need some good members of both communities to help weave a greater community.

He just did.  It's been over eight years since I've replied here.  Nice to know my login still works.  smile


TechDud wrote:

[quoted from: 2015-01-07 09:22:51 UTC]

Note that 5eraph's specific SA3009008 solution appears incomplete at best, and perhaps even erroneous.
Look at the last two lines of that post, where TLS 1.0 is "enabled" with a 0x01.  That is apparently incorrect.

Microsoft wrote:

"To allow this cipher algorithm, change the DWORD value data of the Enabled value to 0xffffffff. Or, change the DWORD data to 0x0. If you do not configure the Enabled value, the default is enabled."
     http://support.microsoft.com/kb/245030   see also:  http://support.microsoft.com/kb/187498 & http://support.microsoft.com/kb/811833

Is this not also true for protocols?

To be fair, I can't take credit or blame for the solution I offer.  It consists almost entirely of Microsoft's recommendations from SA3009008.  Beyond what Microsoft suggests, I made an assumption and added the Enabled values of 1 to the TLS 1.0 registry keys.  I don't know if protocol entries should share the same values as cipher algorithm entries.  Wasn't aware Enabled could take any values other than 0 or 1, despite it being a DWORD.  wink

I'll gladly remove the TLS 1.0 entries if there are any objections.  Don't know how to test the effectiveness of different values on my PC.


Outbreaker wrote:

[quoted from 2015-01-07 04:54:37 UTC]

i think [XP_KB3009008_Schannel_Registry_Mods_by_TechDud.zip] should not be forced unto usesrs because with this patch people won't be able to connect to outdated HTTPS servers.

Don't have this ZIP, so I can't comment on everything it contains.  Haven't looked too closely at the latest release yet:  NT5_IIS_KB245030-3009008_Schannel_Registry_Mods_Jan23-2015.zip.  And can't really comment intelligently on the suggested workarounds for IIS given in SA3009008--don't know how to test them.  But the IE suggestion has already been implemented in Firefox, and is sure to follow in other browsers.

Richard Barnes wrote:

[quoted from Mozilla Security Blog]

SSLv3 will be disabled by default in Firefox 34, which will be released on Nov 25 [2014].

Microsoft has announced in SA3009008 that SSLv3 will be disabled in IE "over the coming months."  When that happens, I'll remove that code from my XPx64 update pack and POSReady addon.  I expect the fix will be included in the ieuinit.inf file of a future cumulative IE update, where an old registry entry for SecureProtocols already exists.

Re: NT5 KB245030-3009008 IIS SSL registry tweaks, etc.

Great to see you here again 5eraph, we kept the lights on for ya too big_smile!

One more time, because i think it's fun TD.
Windows is a synonym for malware, everyone already knows if you run windows you get viruses. youre whipping the dead horse again... LOL. You want security run Linux / Unix. You can try to make the argument that supported MS OS's are less likely to be infected than older ones, but good luck with that. ROFL.

I think you should put a positive spin on it.

We have gone to great lengths to protect you from evil forces, nothing is perfect, please make backup / recovery options part of your program. (this applies to everything not just old windows OS's.

big_smile

DP BartPE Tutorial   DP_BASE Tutorial   HWID's Tool     Read BEFORE you post    UserBars!
http://driverpacks.net/userbar/admin-1.png
The DriverPacks, the DP_Base program, and Support Forum are FREE!.

Re: NT5 KB245030-3009008 IIS SSL registry tweaks, etc.

OverFlow, didn't anyone tell you to not click on files like "MySexyPics.zip.exe". lol

Last edited by Outbreaker (2015-01-25 18:46:14)

Re: NT5 KB245030-3009008 IIS SSL registry tweaks, etc.

@5eraph - Hello, greetings, & welcome back to this forum.
Have read some of your work years ago relating to 9x, and you, Gape, mdgx, problmchyld, etc, etc @MSFN were helpful to me, and i appreciate such open philosophy.

I hope i finally have returned the favor.  Have removed my name from the title, as it includes some of your work.  I hope it can help the "lunatic fringe" that insist on running XP online (clearly without a safety net AND scissors in hand)

For testing, perhaps see SSLscan tool linked above.

Many like being able to make repeatable tests, and hope to eventually see a topic somewhere somehow and by somebody on how to verify these things for themselves independantly.  I have a topic with a similar theme for Graphics where a list of tools can verify (ati) graphics issues, for instance.

Structure seems different in this reply (quoted from link below):

Marc Novak wrote:

"The correct REG_DWORD values are:
..\SSL 3.0\Client
DisabledByDefault : 1
..\SSL 3.0\Server
Enabled : 0""

This work should be verified and expanded to encompass NT6, but i'm not set up for that now.

I wonder if there are other configs that can be tweaked for other libraries than schannel.dll & kerberos.dll (KB2478971<-xp/2k3->KB3011780).
Quote of wikipedia:  "Kerberos uses UDP port 88 by default."
I take it not many people other than those on Domains have that port open?  (am using linux for internet, so cannot confirm nor deny)

Thank you again.

-----------------------------------
@Outbreaker - Actually, a Search did yield something intriguing, but nothing definative yet.

Theantioch wrote:

"We are currently using Exchange 2013 CU6 on Server 2012 R2 with the latest patches. Due to the poodle vulnerability we are attempting to disable SSLv3. We started by using IIS Crypto, however it indicates that SSLv3 is not a supported cipher suite, it only identifies multi protocol unified hello and pct 1.0 as the only valid cipher suites. SSLv3 is also disabled in the registry. A qualsys scan of the exchange server still indicates SSLv3 is supported. How can we disable this?"
https://social.technet.microsoft.com/Fo … esvrdeploy

Others have intonated, but not confirmed, that the HelloWorld protocol is shomehow related to SSLv2 & SSLv3 intercommunication.

Am thinking, "turn that sh*t off!"  :lol

PCT??? Nice.  You were saying, Jeff?  (about viruses, et al)

Last edited by TechDud (2015-01-26 02:01:09)

Re: NT5 KB245030-3009008 IIS SSL registry tweaks, etc.

Outbreaker wrote:

OverFlow, didn't anyone tell you to not click on files like "MySexyPics.zip.exe". lol

Now you tell me hmm

techdud wrote:

the "lunatic fringe" that insist on running XP online (clearly without a safety net AND scissors in hand)

Woo Hoo. Look at me! LOL

I think that is EXACTLY the warning you should use big_smile big_smile big_smile !

DP BartPE Tutorial   DP_BASE Tutorial   HWID's Tool     Read BEFORE you post    UserBars!
http://driverpacks.net/userbar/admin-1.png
The DriverPacks, the DP_Base program, and Support Forum are FREE!.