Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Three Windows Server SSL/TLS security flaws and how to fix them

Recent vulnerabilities in SSL and TLS, like Heartbleed and FREAK, have exposed flaws in Windows Server. Even patching may not be enough.

It wasn't that long ago when simply using SSL, or its successor TLS, on Windows servers was enough to ensure secure...

communications. Times have certainly changed. SSL and TLS have gotten a bad rap as of late -- and deservedly so. Several serious security flaws have been uncovered in the past year alone that you need to be aware of. Some of them affect Windows servers and some don't. Here's an overview of what you need to know:

Heartbleed, a flaw in OpenSSL, which is often run on Windows servers, exploits weaknesses in the TLS heartbeat extension and can provide remote access to memory of servers and the clients connected to them.

POODLE (Padding Oracle On Downgraded Legacy Encryption) is a man-in-the-middle vulnerability that affects SSL version 3.0 and TLS versions 1.0 through 1.2.

FREAK (Factoring Attack on RSA-EXPORT Keys) is a new vulnerability that allows an attacker to force a downgrade in encryption strength if both the browser and server are vulnerable.

There are also various SSL and TLS flaws dating back many years that can impact the security of a Windows server, including several that affect SSL version 2 and weak encryption ciphers. The interesting thing is that, based on my security assessment experience, most Windows servers are vulnerable to at least one of these flaws, and often several. They're often sitting out on the Internet, waiting to be exploited.

So, how do you find out whether these vulnerabilities exist on your Windows servers? It's pretty simple -- just a matter of doing the following:

Having said all of this about the dangers of SSL and TLS, I'm not convinced that "data in transit" is where the real risks lie. Still, if your Windows servers are running versions of SSL and TLS that are known to be vulnerable to attack, you're asking for trouble. Consider what can happen. Best case, you'll get dinged in a vulnerability assessment or audit and will be required to fix the issues. Worst case, someone exploits the Heartbleed or similar flaw and you'll experience a breach. You really don't want to fall into either category.

The best place to be with Windows Server is to fix these pesky security issues and be done with them. But don't stop here. You have to be vigilant; this means upping your game on security testing and the necessary maintenance required to keep your systems resilient from attack -- regardless of the perceived risks -- moving forward.

Next Steps

Read about hidden vulnerabilities in Windows Server IIS.

Find out more about the Heartbleed bug.

Your Exchange Server SSL configuration options.

This was last published in March 2015

Dig Deeper on Windows Server and Network Security



Find more PRO+ content and other member only offers, here.

Join the conversation


Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Is your Windows Server at risk of SSL vulnerabilities?
Our organization has Microsoft Active Protection Program to help keep us up on the latest information that comes out for security updates. We hope we won’t have these SSL vulnerabilities, but there always seems like there is a backdoor somewhere.
Thanks CCL36774. Like I mentioned in my reply to your other post, you can't secure what you don't acknowledge. Make sure you're performing adequate security testing. This website is a good start for SSL/TLS testing: