SQL Server 2014 vulnerabilities reported by Nessus

I have some vulnerabilities reported for my SQL Server 2014 instance:


List of RC4 cipher suites supported by the remote server :

High Strength Ciphers (>= 112-bit key)

   TLSv1
      RC4-MD5                      Kx=RSA         Au=RSA      Enc=RC4(128)             Mac=MD5    
      RC4-SHA                      Kx=RSA         Au=RSA      Enc=RC4(128)             Mac=SHA1

The fields above are :

{OpenSSL ciphername}
  Kx={key exchange}
  Au={authentication}
  Enc={symmetric encryption method}
  Mac={message authentication code}
  {export flag}

• SSLv3 is enabled and the server supports at least one cipher.

Nessus determined that the remote server supports SSLv3 with at least one CBC
cipher suite, indicating that this server is vulnerable.


It appears that TLSv1 or newer is supported on the server. However, the
Fallback SCSV mechanism is not supported, allowing connections to be "rolled
back" to SSLv3.

My OS is Windows Server 2012, and use Nessus to scan my Server. How can I fix the above vulnerabilities?

It looks like Nessus reports these vulnerabilities even when the RC4 is not enabled for any SQL Server endpoint. For SSL 3.0 SQL Server 2014 supports TLS 1.2 as of CU7, while previous versions support TLS 1.0.

I suppose that the Nessus report has to do with the possibility of algorithm downgrade from TLS to RC4. This page describes how to disable RC4 completely.

However, some of my servers are still reported by Nessus with this vulnerability, even if the RC4 cypher is disabled (default for Windows 2012 R2), so I suppose it might be a false positive on Nessus' end.

StackExchange Database Administrators Q#102237, answer score: 4