The SSL (Secure Sockets Layer), and (its successor) TLS (Transport Layer Security) security protocols can be used to secure many types of Internet services, such as web, FTP, and e-mail communication. SSL/TLS handles negotiaton of cryptographic keys and cryptographic algorithms (ciphers), but the security of the TLS connection is both ensured and bound by the ciphers available for negotiation. To ensure security, weak encryption must be disabled and strong ciphers must be available and configured.
The 2003 server supports weak SSL/TLS ciphers in its default configuration. This is not an issue in the 2008 server. On the contrary, the 2008 server offers new and more secure setups for SSL/TLS.
The 2008 server
Windows Server 2008 was first available in February 2008, and later in R2 in July 2009. It introduces exciting new technologies such as AppFabric (high performance cache), and significant updates in the IIS 7.5. In addition, the 2008 server can be installed with a server core setup where the attack surface of the server has been reduced significantly, essentially offering only a console on the server. For those who work in a pure Microsoft environment, but occasionally miss Linux og *BSD servers (like myself), the server core installation might be the answer.
2008 Server includes Microsoft's new cryptographic framework, code named Cryptography Next Generation (CNG). CNG was developed to meet updated requirements from NSA for cryptographic software used by the U.S. government and constitutes a major update to the cryptographic support offered by the Windows Server product line.
SSL/TLS, 2003 vs 2008
The 2008 server offers up to date cryptographic capabilites, as shown by the following table (green cells indicate support):
|Server 2003||Server 2008||Cipher suite||Cipher||Key length|
The list includes ciphers that can be safely enabled in the SSL/TLS configuration, weak ciphers have been left out. Note that AES is the industry standard for the future, and is supported by the 2008 server, but not by the 2003 unless installed as a hotfix. The table shows that the 2008 server offer many more cipher suites. It is reasonable to assume that the 2003 server will never support all these algorithms, especially in light of their AES-hotfix which only adds two of these.
When comparing support for SSL/TLS protocol versions, the 2008 server comes out on top, with its support for SSL 3.0, and TLS versions up to 1.2. The 2003 server supports SSL 3.0 and TLS 1.0.
So, the lesson learned her is: If you want state-of-the-art cryptographic support, upgrade your 2003 servers to 2008!