Too often in security there is a real issue that we need to address and then there is the headline theoretical issue. An issue where, yes, someone, somewhere can be attacked by the threat, but to actually attack someone with this threat would take many resources, would take a lot of time, and an attacker will only use such threats against a high value target, not against a SMB server.
But because the risk makes headlines we all run around and fix something that …while yes, I have to say there is a flaw, but the reality is that we’re more likely to be attacked by some easier means to nail us. It reminds me of a caller on the Rick Steves travel radio show that was asking about the risk of traveling to Paris in light of the terrorist attacks. While the risk of terrorism is there, the reality is that we’re more likely to be killed in our good old USA than we are while vacationing overseas. Yet, because the terrorists have grabbed the headlines, they make us frightened and less likely to protect ourselves from the thing we really should be protecting ourselves from.
Take as an example the recent drown attack in the news.
Firstly yes, any smb network with the defaults set on their IIS websites is at risk for this attack. Yes, given the increasing broken-ness of SSL v1, 2 and 3, you should take action to disable SSL v1, 2 and 3 on your outward facing web server – or in the case of SBS and Essentials, that RWW/RWA web site. (more on what to do in a bit). In fact you may want to kick it up one more notch and disable TLS 1.0 with the caveat that it will break RDP gateway/RWW if your remote clients are Windows 7 machines. If the remote workstations are Windows 8.1 or Windows 10, these will support the necessary TLS.
You can use the drown site to check if your server is vulnerable. Go to https://test.drownattack.com and run a scan (note for me the site has been throwing off bad gateway reports so you may need to try it at a later time.
But here where the reality hits the theoretical. So are a lot of other sites. For example take – https://test.drownattack.com/?site=microsoft.com which at the time I am writing this has a ton of subdomains that are vulnerable.
While you are testing out your domain, also have a look at https://www.ssllabs.com/ssltest/ as it’s time to make sure your SSL cert is also what it should be.
I then highly recommend using this tool – https://www.nartac.com/Products/IISCrypto/ to disable SSL v1, 2 and 3. For disabling TLS 1.0, however the story is a little bit different. As this blog points out Exchange 2010 may have issues with TLS 1.0 disabled. However, I’ve found that the biggest issue comes from RDgateway. As Robert points out on his blog, the issue with disabling TLS 1.0 really impacts RDgateway.
So what’s a paranoid person to do?
First don’t panic. This attack used cloud computing and time for it to be successful. An attacker is much more likely to throw a malicious ransom-ware at you than to use this attack against your server.
That said, taking the time to run the https://www.ssllabs.com/ssltest/ test on your site and use the https://www.nartac.com/Products/IISCrypto/ tool to AT LEAST disable SSL v1, 2 and 3 is a bare minimum best practice to do. Disabling TLS 1.0 requires additional analysis of the site to see if all external clients have migrated off of Windows 7.
This is an example of the tool on a web site I have (not an SBS box)
As you can see you have best practices and pci. If you want to play it safe, do best practices.
And while I’m here on my soapbox, if you ask me what specifically to do to get a SBS box to pass a PCI scan I’ll point you to Robert’s blog post above – with the strong opinion that if you really read through the PCI documentation, you’d know in a heartbeat that a SBS box cannot possibly pass true PCI concepts and you are much better off and safer to move that credit card network traffic to it’s own network and not on the same network as a SBS box.
So bottom line. Don’t panic. Do disable SSL v1, 2 and 3 that won’t break anything. Really think about how you are processing credit cards. And then really think about what we all really should be worried about – better ransom-ware defenses. Because that’s where we are really getting our attacks on a daily basis.