Web Server Supports Weak SSL Encryption Certificates
How to configure Apache v2 to not accept SSLv2 connections:
You will need to modify the SSLCipherSuite directive in the httpd.conf or ssl.conf file.
An example would be editing the following lines to look similar to:
SSLProtocol -ALL +SSLv3 +TLSv1
Restart the Apache process and ensure that the server is functional. Also retest using OpenSSL to confirm that SSLv2 is no longer accepted.
How to configure Microsoft IIS to not accept SSLv2 connections:
You will need to modify the system’s registry.
Merge the following keys to the Windows registry:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000
Restart the system and ensure that the server is functional. Also retest using OpenSSL to confirm that SSLv2 is no longer accepted.
IIS DOS
Verify URLSCAN 3.1 is installed
C:\WINDOWS\system32\inetsrv\urlscan
Check current log
#Software: Microsoft UrlScan 3.1
#Version: 1.0
#Date: 2014-08-19 02:51:26
Verify the urlscan.ini has
[DenyUrlSequences]
;
; If any character sequences listed here appear in the URL for
; any request, that request will be rejected.
;
.. ; Don't allow directory traversals
./ ; Don't allow trailing dot on a directory name
\ ; Don't allow backslashes in URL
: ; Don't allow alternate stream access
% ; Don't allow escaping after normalization
& ; Don't allow multiple CGI processes to run on a single request
~ ; don't allow ~ chars in the URL
/NUL. ; Don't allow DOS reserved filenames as valid files
/COM1
/COM2
/COM3
/LPT1
/LPT2
/PRN
/AUX