GaLeon - Fotolia


Addressing SSL/TLS flaws on Windows Server

If you're running a known vulnerable version of SSL or TLS, you may be at risk for attacks. These factors will help you determine the threat level to your servers.

You know about the common SSL/TLS vulnerabilities associated with Windows Servers. Diagnosis is half the cure but it's important to be proactive and ensure the weaknesses that need to be addressed are addressed soon.

If you're running one of the known vulnerable versions of SSL or TLS, you run the risk of having someone "own" your Windows servers or, at least, have sensitive data in transit compromised. The risk of a Windows server's memory being directly accessible might be considered "medium" or "high." The risk of data in transit being captured via a man-in-the-middle attack via POODLE, SSL version 2, or weak encryption ciphers is lower -- perhaps even nil. It just depends.

The following are various factors to consider when determining just how risky these SSL and TLS vulnerabilities are, along with how much urgency you need to put into getting them resolved:

Software versions running

There's no point in spinning your wheels on fixing something that doesn't need to be fixed. You can manually check your Windows servers to see if the proper patches are installed to address the recent SSL/TLS flaws (i.e. CVE-2014-0160, CVE-2014-3566 and CVE-2015-1637). That seems a bit tedious and error-prone. The quickest way to find these flaws is to use a vulnerability scanner such as MBSA, Nexpose or Acunetix Web Vulnerability Scanner. Don't overlook SSL version 2 and weak encryption ciphers as well. They all need to be addressed eventually.

Server accessibility

Are your Windows servers running on your network perimeter or in the cloud? If so, the situation is likely a little more urgent given that they're directly accessible. Or, perhaps, they're accessible over an open (unsecured) wireless network that can facilitate a man-in-the-middle attack against an unsuspecting user.

Are the Windows servers in question only accessible internally? If so, the data in transit vulnerabilities might not be as critical. That said, all someone on your network has to do is use Cain & Abel and run its ARP poison routing feature to turn your Ethernet switches in to hubs thus providing full access to the communication streams on that particular network segment. There's also the risk of malware on your network exploiting Heartbleed via internal channels.

Information that's being processed or stored

What's running on your Windows servers in question? If a server is hosting a core ERP or customer-centric application environment, then you'll know that's where you need to focus your efforts. If a server is used for training or perhaps it's a QA system for your development team, it may not be as critical. Just keep in mind that it only takes a criminal hacker or rogue insider to compromise one system in order to get a foothold into your network environment -- especially if you don't have a layered set of compensating controls to keep them out.

Do you see the common theme here? You're setting yourself and your business up for failure if you don't address these flaws.

Once you determine which SSL or TLS vulnerabilities exist and need attention, you'll want to test the patches to ensure you don't break anything. I know it's a no-brainer but I have to say it because I still hear stories of bricked production servers due to Windows admins rushing and not taking the proper steps to do it right.

As you're bringing your Windows servers up to date, it's a great time to rethink your vulnerability testing and patch management approaches as well as your encryption standards and any related policies. If your processes and documentation are like most, there's room for improvement.

About the author:
Kevin Beaver is an information security consultant, expert witness and professional speaker with Atlanta-based Principle Logic, LLC. With over 26 years of experience in the industry, Kevin specializes in performing independent security assessments revolving around information risk management. He has authored/co-authored 12 books on information security including Hacking For Dummies and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, he's the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at and you can follow him on Twitter, watch him on YouTube and connect with him on LinkedIn.

Next Steps

Identify common SSL vulnerabilities in Windows Server

Updates in TLS 1.3 will help secure Internet communications

Enterprises face many problems, few answers for SSL security issues

Qualys, Inc. releases free public SSL tester amid growing concerns

Dig Deeper on Windows Server troubleshooting