Share via

Vulnerability using GPO - SHA-1-based Signature in TLS/SSL Server X.509 Certificate

Suravind R 21 Reputation points
2022-10-10T08:54:48.307+00:00

Vulnerability Description: The SHA-1 hashing algorithm has known weaknesses that expose it to collision attacks, which may allow an attacker to generate additional X.509 digital certificates with the same signature as an original.

Vulnerability Solution: Stop Using SHA-1
Stop using signature algorithms relying on SHA-1, such as "SHA1withRSA", when signing X.509 certificates. Instead, use the SHA-2 family (SHA-224, SHA-256, SHA-384, and SHA-512).

Can someone help me to create a GPO for remediate this GPO.

Windows for business Windows Server User experience Other
Windows for business Windows Client for IT Pros User experience Other
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. JimmySalian-2011 42,491 Reputation points
    2022-10-10T09:49:28.823+00:00

    Hi Suravind,

    Basically you want to disable old TLS Cipher suite to harden the OS, you can check some of the articles with detailed steps and make sure it is tested and verified on the test / dev environment as some legacy applications might stop working.

    howto-disable-weak-protocols-cipher-suites-and-hashing-algorithms-on-web-application-proxies-ad-fs-servers-and-windows-servers-running-azure-ad-connect
    manage-tls
    SchannelGroupPolicy
    howto-disable-weak-protocols-cipher-suites-and-hashing-algorithms-on-web-application-proxies-ad-fs-servers-and-windows-servers-running-azure-ad-connect

    Hope this helps.

    ==
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments
  2. Limitless Technology 44,751 Reputation points
    2022-10-11T15:39:34.403+00:00

    Hello there,

    Have you considered disabling SHA-1?

    SHA-1 hash function was deprecated by CA/B Forum due to the consideration that this hash function became practically vulnerable to collision attacks. Still, there is a number of browsers that do not support SHA-256 or a higher hash function, thus, a total disabling of SHA-1 cipher suites may lead to drastic interoperability issues.

    Unless you desperately require to forbid the server usage of SHA-1 cipher suites, there is an option to leave support for SHA-1 enabled, but configure the server preferences to use ciphers with a more secure hash function in the first place

    ---------------------------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept it as an answer–

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.