Vulnerability using GPO - SHA-1-based Signature in TLS/SSL Server X.509 Certificate

Suravind R 21 Reputation points
2022-10-10T08:54:48.307+00:00

Vulnerability Description: The SHA-1 hashing algorithm has known weaknesses that expose it to collision attacks, which may allow an attacker to generate additional X.509 digital certificates with the same signature as an original.

Vulnerability Solution: Stop Using SHA-1
Stop using signature algorithms relying on SHA-1, such as "SHA1withRSA", when signing X.509 certificates. Instead, use the SHA-2 family (SHA-224, SHA-256, SHA-384, and SHA-512).

Can someone help me to create a GPO for remediate this GPO.

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,849 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,287 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. JimmySalian-2011 41,926 Reputation points
    2022-10-10T09:49:28.823+00:00

    Hi Suravind,

    Basically you want to disable old TLS Cipher suite to harden the OS, you can check some of the articles with detailed steps and make sure it is tested and verified on the test / dev environment as some legacy applications might stop working.

    howto-disable-weak-protocols-cipher-suites-and-hashing-algorithms-on-web-application-proxies-ad-fs-servers-and-windows-servers-running-azure-ad-connect
    manage-tls
    SchannelGroupPolicy
    howto-disable-weak-protocols-cipher-suites-and-hashing-algorithms-on-web-application-proxies-ad-fs-servers-and-windows-servers-running-azure-ad-connect

    Hope this helps.

    ==
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

  2. Limitless Technology 44,001 Reputation points
    2022-10-11T15:39:34.403+00:00

    Hello there,

    Have you considered disabling SHA-1?

    SHA-1 hash function was deprecated by CA/B Forum due to the consideration that this hash function became practically vulnerable to collision attacks. Still, there is a number of browsers that do not support SHA-256 or a higher hash function, thus, a total disabling of SHA-1 cipher suites may lead to drastic interoperability issues.

    Unless you desperately require to forbid the server usage of SHA-1 cipher suites, there is an option to leave support for SHA-1 enabled, but configure the server preferences to use ciphers with a more secure hash function in the first place

    ---------------------------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept it as an answer–

    0 comments No comments