Domain Controller’larında LDAPS İçin TLS 1.2+ Gerekliliği: Sorunlar ve Çözüm Önerileri

LDAP üzerinden SSL (LDAPS) etkinse (doğru biçimlendirilmiş sertifikalar yüklüdü surumdayda), etki alanı denetleyicilerinde (DC’ler) eski TLS 1.0 ve TLS 1.1 protokollerinin 64-bit blok şifreleme algoritmalarıyla etkin olup olmadığını kontrol etmek önemli.

Microsoft, yakın gelecekte TLS 1.0 ve TLS 1.1’i devre dışı bırakmayı planlasa da, bu protokoller halen varsayılan olarak Windows Server 2022’de etkin geliyor.

Test ortamında nmap ile yapılan taramada ortaya çıkan sonuç aşağıdaki gibi:

nmap --script ssl-enum-ciphers -p 636 'contoso-dc.contoso.com'
tarting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-15 07:02 CET
Nmap scan report for contoso-dc.contoso.com (10.213.0.3)
Host is up (0.00088s latency).
rDNS record for 10.213.0.3: CONTOSO-DC.contoso.com

PORT STATE SERVICE
636/tcp open ldapssl
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp384r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| compressors:
| NULL
| cipher preference: server
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| TLSv1.1:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp384r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| compressors:
| NULL
| cipher preference: server
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp384r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp384r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp384r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| compressors:
| NULL
| cipher preference: server
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| TLSv1.3:
| ciphers:
| TLS_AKE_WITH_AES_256_GCM_SHA384 (secp384r1) - A
| TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
| cipher preference: server
|_ least strength: C
MAC Address: 00:17:FB:00:00:00 (FA)

Nmap done: 1 IP address (1 host up) scanned in 1.21 seconds

Yukarda görüldüğü gibi zafiyet içeren cipher suit’ler aktif durumda.

Bu bulguları düzeltmenin en iyi yolu kayıt defteri ayarlarını Grup İlkesi Nesnesi (GPO) kullanarak dağıtmak. Aşağıdaki gibi bir scripti kullanabilirsiniz.

# Pre-existing Group Policy Object that is linked onto the Domain Controllers organizational unit
[string] $gpoName = 'Domain Controller Security Baseline'

# Disable TLS 1.0 for LDAPS and HTTPS servers
Set-GPRegistryValue `
-Name $gpoName `
-Key 'HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' `
-ValueName Enabled `
-Value 0 `
-Type DWord

# Disable TLS 1.1 for LDAPS and HTTPS servers
Set-GPRegistryValue `
-Name $gpoName `
-Key 'HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' `
-ValueName Enabled `
-Value 0 `
-Type DWord

# Disable 3DES (SWEET32 vulnerability) for LDAPS and HTTPS servers
Set-GPRegistryValue `
-Name $gpoName `
-Key 'HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168' `
-ValueName Enabled `
-Value 0 `
-Type DWord

# Make sure that TLS 1.2 support is enabled. This is turned on by default in the newer Windows versions.
Set-GPRegistryValue `
-Name $gpoName `
-Key 'HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' `
-ValueName Enabled `
-Value 1 `
-Type DWord

Set-GPRegistryValue `
-Name $gpoName `
-Key 'HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' `
-ValueName DisabledByDefault `
-Value 0 `
-Type DWord

# Make sure that SSL 3.0 has not been accidentally enabled for LDAPS and HTTPS servers.
Set-GPRegistryValue `
-Name $gpoName `
-Key 'HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' `
-ValueName Enabled `
-Value 0 `
-Type DWord

İşlem sonunda GPO aşağıdaki gibi görünüyor.

Yeniden namp ile tarama yapıldığında çıktı aşağıdaki gibi değişiyor.

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-15 07:03 CET
Nmap scan report for contoso-dc.contoso.com (10.213.0.3)
Host is up (0.0026s latency).
rDNS record for 10.213.0.3: CONTOSO-DC.contoso.com

PORT STATE SERVICE
636/tcp open ldapssl
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp384r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp384r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp384r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
| TLSv1.3:
| ciphers:
| TLS_AKE_WITH_AES_256_GCM_SHA384 (secp384r1) - A
| TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
| cipher preference: server
|_ least strength: A
MAC Address: 00:17:FB:00:00:00 (FA)

Nmap done: 1 IP address (1 host up) scanned in 3.40 seconds

Faydalı olması dileğiyle, kolaylıklar.

Kaynak: dsinternals.com

Exit mobile version