RC4 cipher suites accepted

Check

Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\"RC4*" -Name "Enabled"

Fix

Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\"RC4*" -Name "Enabled" -Value 0

Invalid/Expired Certificates

Check

USE [master]

GO

SELECT name,

      issuer_name,

      start_date,

      expiry_date

  FROM sys.certificates

Notes

Server principals with names enclosed by double hash marks (##) are for internal system use only. The following principals are created from certificates when SQL Server is installed, and should not be deleted.

• ##MS_SQLResourceSigningCertificate##

• ##MS_SQLReplicationSigningCertificate##

• ##MS_SQLAuthenticatorCertificate##

• ##MS_AgentSigningCertificate##

• ##MS_PolicyEventProcessingLogin##

• ##MS_PolicySigningCertificate##

• ##MS_PolicyTsqlExecutionLogin##

These principal accounts do not have passwords that can be changed by administrators as they are based on certificates issued to Microsoft. (1)

Resolution

These certificates are generated when SQL is installed and are used internally by SQL server. You cannot modify or alter these certificates. (2)

Protocols with known weaknesses allowed

Check

The method below works in:

• SQL2016 SP1+

• SQL2014 SP3+

• SQL2012 SP4+

Create Event

CREATE EVENT SESSION [tls] ON SERVER

ADD EVENT sqlsni.trace(

WHERE (([sqlserver].[like_i_sql_unicode_string]([text],N'%Handshake%'))))

Set Event Target

ALTER EVENT SESSION [tls] ON SERVER

ADD TARGET package0.ring_buffer(SET max_events_limit=(100000),max_memory=(10240))

WITH (MAX_MEMORY=10240 KB,STARTUP_STATE=ON)

GO

Start Event Monitoring

ALTER EVENT SESSION [tls] ON SERVER STATE = START;

Stop Event Monitoring

ALTER EVENT SESSION [tls] ON SERVER STATE = STOP;

Bibliography