Does Qualys actually scan for the registry settings for RC4 and other ciphers? In doing research I had this question come to me: does it actually scan for the registry settings and , if not there, flag it as a vulnerability?
Does Qualys actually scan for the registry settings for RC4 and other ciphers? In doing research I had this question come to me: does it actually scan for the registry settings and , if not there, flag it as a vulnerability?
Yes. During vulnerability scanning Qualys scan registry settings and if there is missing or vulnerable configuration setting it is marked as vulnerability exist and provide possible solution to fix it.
In the case of RC4, Qualys is not checking the registry. It is simply probing the listening service to see what ciphers it responds with as available. You can do the same check using TestSSLServer (TestSSLServer ). I've found it's beneficial that Qualys does the cipher checks in this manner because you're checking the effective configuration rather than the configuration as defined, which can sometimes be different (ex: pending reboot).
Like Jordan noted, cipher and SSL/TLS protocol scans are passive in that they query the host for open ports and initiate connections with the listening service to determine available ciphers etc. This is good but also a pain. The results Qualys provides simply shows that RC4 ciphers (or others) were offered over the port identified. If it included the service it would save everyone a lot of time hunting down the source. Simply probing the registry i.e. in SCHANNEL will only provide you detection at the OS level. You will miss all the random applications/agents running their own SSL/TLS stack and using different ports (like JBoss, Apache, Nagios, Splunk etc.)
It would be great if Qualys would include the service detected with the port and the cipher.....
This is fantastic news and a great help! So, when it says, as in my case, "RDP port 3389" is that traffic to/from a web server (if I understand correctly) via RDP?
It's saying the listening service on port 3389, which is RDP, is responding that it supports RC4. The first step on all windows systems is to disable RC4 for the SCHANNEL via the registry. That will take care of most (if not all) of your detections. Any that remain would be application specific.
In the case of RC4, Qualys is not checking the registry. It is simply probing the listening service to see what ciphers it responds with as available. You can do the same check using TestSSLServer (TestSSLServer ). I've found it's beneficial that Qualys does the cipher checks in this manner because you're checking the effective configuration rather than the configuration as defined, which can sometimes be different (ex: pending reboot).