Third-party security scanning software reports weak IPSec Encryption

Recently I had a question about an error being produced by a third-party security scanning software package.

First let me say that this is less an error and more just information.

The error indicates that ISAKMP/IKE key exchange for IPSec could allow insecure connections from clients.  The error suggests that the OS can allow ISAKMP SA with weak settings to connect, only to be rejected later by a policy check.  Because the security scanning tool does not have VPN credentials, it is impossible for it to determine the difference so it logs it as a possible vulnerability.

The client VPN connections will continue on through the IPSEC level security settings and utilize the appropriate encryption.

The scanning software will suggest a possible solution of disabling the encryption algorithm DES with a key length of 56 bits and the exchange algorithm DH768, adding that secure encryption would be 3DES and DH1024.

As a side note, while older Windows clients can use DES, Windows Vista clients by default do not use DES and instead utilize 3DES and greater.

Please note that the scan may list a Potential Vulnerability not an actual Vulnerability.

More information:

DES 56 may be disabled via the registry:

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphersDES 56/56] “Enabled”=dword:0

You can also disable ALL Diffie-Hellman in the registry (you cannot disable just DH768):

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELKeyExchangeAlgorithmsDiffie-Hellman] “Enabled”=dword:0

Changing these values do not affect IPSec and do not prevent this event from being logged by the security scanning software.

Related links:

Knowledge Base Article KB245030 – How to Restrict the Use of Certain Cryptographic Algorithms and Protocols

Microsoft TechNet – Virtual Private Networking with Windows Server 2003: Interoperability

– Michael Andreacola