Checking Server Security Settings

Version Information

Some protocols and ciphers are vulnerable and insecure (for example SSL3 and TLS1.0 protocols are vulnerable to POODLE attack). You need check what protocols and ciphers are used on your web-site.
To test the security you can use this web-site: https://www.ssllabs.com/ssltest/. Please navigate to this web-site and your web-site url - the url of the web-site you want to test.

We used in this example test.eccentex.com:

After testing you can view test result:

On the above screenshot you can see which protocols and ciphers are enabled or disabled on your server and which of them have weak security or insecure.

The screenshot below shows how more detailed information looks like:

AppBase installation scripts starting from version 6.5.33 and later have ability to enable/disable certain Security Protocol Types and Ciphers.

To enable / disable the types of security protocols or ciphers, follow these steps:

1) Open Command Prompt (Run As Administrator)

Start Command Prompt (cmd.exe) as administrator by right clicking it and selecting “Run as administrator”:

2) Change current directory to the directory where you put the substitution files, for example:

3) Now you can to execute command Server-ConfigureSecurityProtocols for enable/disable Security Protocol Types or Server-ConfigureSecurityCiphers for enable/disable Ciphers.

Both commands have same Action argument for which you can use one of two available values: 'Enable','Disable' to enable or disable the protocols or the ciphers.

Security Protocols

We recommend that you disable the following Security Protocol Types - SSL 3.0, TLS 1.0, TLS 1.1.

Command for disable these Security Protocol Types:

..\..\Scripts.2\InstallerMain.bat -Command Server-ConfigureSecurityProtocols -Protocols 'SSL30,TLS10,TLS11' -Action Disable

where SSL30,TLS10,TLS11 are alias for naming Security Protocol Types. 

The table for matching the protocol names to their aliases is located below:

To configure security protocols please use Server-ConfigureSecurityProtocols command, for example:

 ..\..\Scripts.2\InstallerMain.bat -Command Server-ConfigureSecurityProtocols -Protocols 'SSL30' -Action Disable

If for some reason you need to disable only SSL 3.0 and TLS 1.0, you can use such a command:

..\..\Scripts.2\InstallerMain.bat -Command Server-ConfigureSecurityProtocols -Protocols 'SSL30,TLS10' -Action Disable

The command above disables both 'SSL 3.0' and 'TLS 1.0' protocols. For disable more than one Security Protocol Type - use coma to separate Security Protocol Types.

Cipher Suites

We recommend that you disable all insecure and weak Ciphers.

Command for disable insecure and weak at the moment Ciphers on Windows 2012R2:

InstallerMain.bat -Command Server-ConfigureSecurityCiphers -Ciphers 'TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_RC4_128_MD5' -Action Disable

Command for disable insecure and weak at the moment Ciphers on Windows 2016:

InstallerMain.bat -Command Server-ConfigureSecurityCiphers -Ciphers 'TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA' -Action Disable

If for some reason you need to disable Ciphers differing from those indicated by us, for example TLS_RSA_WITH_RC4_128_MD5 and TLS_RSA_WITH_RC4_128_SHA you need use next command:

..\..\Scripts.2\InstallerMain.bat -Command Server-ConfigureSecurityCiphers -Ciphers 'TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_RC4_128_SHA' -Action Disable

For enable/disable Ciphers, you need to use the Cipher names as on the web-site: https://www.ssllabs.com/ssltest/.

For disable more than one Cipher - use coma to separate Ciphers.

TLS Fallback SCSV

Transport Layer Security (TLS) is a standard for preventing interception and eavesdropping between a client (usually a web browser) and a server. It is the successor protocol to Secure Sockets Layer (SSL), which has been deprecated due to a significant number of identified security flaws. To work around interoperability problems with legacy servers, many Transport Layer Security (TLS) client implementations do not rely on the TLS protocol version negotiation mechanism alone but will intentionally reconnect using a downgraded protocol if the initial handshake attempt fails. Such clients may fall back to connections in which they announce a version as low as TLS 1.0 (or even its predecessor - Secure Socket Layer (SSL) 3.0) as the highest supported version.
While such fallback retries can be a useful last resort for connections to legacy servers, there is a risk that active attackers could exploit the downgrade strategy to weaken the cryptographic security of connections.
All unnecessary protocol downgrades are undesirable (e.g. from TLS 1.2 to TLS 1.1, if both the client and the server actually do support TLS 1.2); they can be particularly harmful when the result is loss of the TLS extension feature by downgrading to SSL 3.0.

The best solution to this vulnerability is to disable all security protocols below TLS 1.2, but sometimes when it is not possible to do so due to the use of third-party applications (that do not have the capability to work with the TLS 1.2 security protocol) - need to configure TLS Fallback SCSV (Signalling Cipher Suite Value) to protect the server from the downgrade strategy the cryptographic security of connections. In this case, you need use next command:

..\..\Scripts.2\InstallerMain.bat -Command Server-ConfigureSecurityTlsFallbackScsv