We received informaition from our security team when they did a scan on our Unity server...."the remote host supports the use of SSL ciphers that offer weak encryption or no encryption at all" I have found some articles on the web (Microsoft) to edit the registry key so that nothing lower than 128 bit encryption is accepted. I am looking for a Cisco paper to agree or disagree with this...can anyone help?
So, this isn't an uncommon security alert when you have your system scanned. One thing to keep in mind is the placement of your server and who/what it is accessed for. In any case, you're not likely to find a Cisco doc that references this specifically. Instead, if you really want to move forward with making the appropriate registry changes then you'll want to open a TAC case and find out if this is supported or not. In terms of further info on your issue:
The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all. This vulnerability is valid for all SSL/TLS sessions that are passing sensitive information. PCI defines strong cryptography, for secret key based systems, as anything above 80 bit encryption.
The solution to this is very simple but requires registry tweak again. Following are the steps:
Click Start, click Run, type regedt32 or type regedit, and then click OK.
In Registry Editor, locate the following registry key:
Locate the ciphers which have encryption less than 128 bit.
Create DWORD values named Enabled and Value 0 for each of them, just as the previous case.
For convenience, I have marked them with red arrows in the picture above.
System Restart is NOT required for this.
Now the server is secured. The above mentioned security issues are the major ones that most of the systems have. However other than this, there may be some easy and minor vulnerabilities like:
Using robots.txt in the pages. (Generally inserted by Web Marketing team to track user hit).
Directory Scanner: Common directories are revealed. This can be resolved by URL rewriting and setting “Directory Browsing” off.
Note: For the above vulnerabilities, minor registry tweaks will be necessary. So it is strongly recommended to back up the registry before doing anything. By any chance if something gets messed up, just delete the SCHANNEL key and restart the machine, the key will be auto-generated.
I am in the same boat, our security team also ran the security scan on Unity connection 7.1(5b)su4 that says..."This host supports the use of SSL Ciphers that offer medium strength encryption, which we currently regards as those with key length 56 bits and less than 112 bits"
I’ll highly appreciate if you can give some pointers of your solution...