IIS Crypto 2.0

If you have a Microsoft Web Server and you need to disable certain Crypto suites, for example ensure that you are not using SSL 2.0 or 3.0 or DES 56/56! Then IIS Crypto is a great tool for that.

Firstly go to ssllabs and run a scan on your site.

Once you have the results if there are any encryption warnings for your site you can use IIS Crypto to resolve them.

Go to the Nartac web site and download the tool.

There is nothing to install, you just run the exe and will be greeted by this screen.

From here it is a simple checkbox exercise to enable and disable what you need. It also means that rollback is easy if you find that something broke after making changes!

To make life even easier there is a “Best Practice” setting which will disable all “broken” encrytpion methods for you.

After you have made changes just hit apply and that’s it.

You can also scan your site from within this tool. Select “Site Scanner” from the left hand menu and enter your sites URL.

This time the scan should come back with no encrytpion issues.

Till next time.

WebKnight for IIS Web Servers

For a while I’ve been testing different Web Application Firewall Solutions (WAFs) and I stumbled across WebKnight. The latest version is a paid for product but you can download the previous versions and use them for free.

WebKnight has many customisable features allowing IP blocking, URL scanning and logging. It’s compatable with OWA, WebDav, Cold Fusion, and also helps protect from SQLi, XSS, and CSRF. It’s quick and easy to setup, and after using it for a while you should find it easy to customise so it gives you what you want.

You must have ISAPI filters enabled on the Web Server.

To install and start using it go to the Aqtronix website and download the latest free version which is currently 4.5.5.

Accept the terms and conditions, then select the complete version to install.

That’s it.

Next launch the configuration tool, as we need to create a log folder so WebKnight can create log files.

Create a folder somewhere then remember the path and folder name for the next steps.

Find the logging section and ensure the “Enabled” box is ticked, then in the next box below enter the name of the folder then the path in the following box.

Save and close the configuration tool.

Then test your site to make sure you can still access it.

You can test by adding <script>alert(1)</script> to the end of your websites’ address then reload the page to see if you get the block page (The default WebKnight page can also be replaced by your own custom page).

This will also show in your log file.

There are countless options to play around with and it would take forever to go through them all. Configuring these options is also a good way to learn about website defence. Change a few options and then tesat your website to see how it is effected. Use an online scanner and then check the logging file to see what WebKnight is defending against.

Have fun.