Harden your Titan FTP or Cornerstone MFT Server

Disabling Weak and Insecure Ciphers - Hardening a Server


Titan FTP 2019 and Cornerstone MFT 2019 Server customers can use the following steps to harden their server. The goal is to harden your server to ensure all weak ciphers are disabled and a security scan, such as those offered by QualSys, will pass.

NOTE: This process is designed to be applied to Titan FTP Server 2019 and Cornerstone MFT Server 2019 only. This process does not apply to older versions of the software.

Support for older versions of Titan FTP Server and Cornerstone MFT Server have been discontinued. To harden an older Titan FTP or Cornerstone MFT Server you will first need to upgrade to the latest 2019 release of the software and reboot the OS. Once you have upgraded to the latest 2019 release of the software, the serve can be hardened. To upgrade to the latest release, use the Check For Program Updates feature in the Admin Console or contact sales@southrivertech.com for more information.

Follow these steps to harden your system. You mush be logged in to the Windows Desktop using a Windows account with Administrative or PowerUser privileges. Rebooting the OS will be required.
  1. 1. Disable 3DES related ciphers in Windows.
    1. Save the attached Disable3DES_reg.txt file to the Windows desktop as disable3des.reg
    2. Right-click on the file and select merge to import these settings into the Windows registry.
  2. Disable SHA1 hashing in Windows.
    1. Save the attached DisableSHA1_reg.txt file to the Windows desktop as disableSHA1.reg
    2. Right-click on the file and select merge to import these settings into the Windows registry.
  3. Disable TLS 1.0 in Windows.
    1. Save the attached DisableTLS10_reg.txt file to the Windows desktop as DisableTLS10.reg
    2. Right-click on the file and select merge to import these settings into the Windows registry.
  4. Disable TLS 1.1 in Windows (optional)
    1. Save the attached DisableTLS11_reg.txt file to the Windows Desktop as DisableTLS11.reg
    2. Right-click on the file and select merge to import these settings into the Windows registry.
  5. Disable CBC and GCM based ciphers in Windows
    1. Save the attached DisableWeakCiphers_ps1.txt file to the Windows Desktop as DisableWeakCiphers.ps1
    2. Click on the Windows Start button and type 'powershell'.
    3. When "PowerShell" appears in the list, RIGHT-CLICK AND SELECT RUN AS ADMINISTRATOR.
      1. NOTE: you must run PowerShell AS ADMINISTRATOR
    4. Right-click on the DisableWeakCiphers.ps1 file and select OPEN WITH -> NOTEPAD. This will open the file in notepad
    5. Select the entire contents of the file using CTRL-A then CTRL-C to COPY the information to the clipboard
    6. In the Powershell window, RIGHT-CLICK and you should see the contents of the clipboard automatically being pasted into PowerShell and being executed concurrently. If nothing shows up, CTRL-V to PASTE the information into powershell and execute the commands.
    7. Powershell may display errors indicating that those ciphers were not enabled. Ignore those errors.
  6. Disable Weak TLS/SSL ciphers in Titan/Cornerstone
    1. Run the Admin console and find your server instance in the left tree of the Admin console.
    2. Select Services and then select the FTP/SSL tab in the right pane of the console.
    3. NOTE: for HTTP/HTTPS, the TLS/SSL settings are pulled from the FTP/SSL tab, not the HTTP/HTTPS tab, This means that in order to disable weak ciphers in the WebUI or FTP/FTPS you need to disable them on the FTP/SSL tab, even if you are not using FTP/S. If FTP/S is disabled on your server, enable FTP/S by checking the Enable SSL/TLS access on this server first
    4. Uncheck SSL v3.0, TLS v1.0 and optionally TLS v1.1 to disable those protocols.
    5. NOTE: If FTP/S was disabled when you started, Uncheck the 'Enable SSL/TLS access' option again to return it to normal.
    6. click the Apply button at the bottom of the window to save these changes.
    7. Select the SFTP/SSH tab located next to the FTP/SSL tab in the console. Please know that Titan FTP Server 2019 and Cornerstone MFT Server 2019 do not support the Secure Copy Protocol (SCP) but do support SSH/SFTP.
      1. Disable weak SSH Ciphers by turning OFF all CBC based ciphers. Also disable 3DES based ciphers
      2. Disable weak SSH MAC algorithms by turning OFF all MD5 and SHA1 based algorithms.
      3. Disable weak SSH KEX algorithms by turning OFF all SHA1 based algorithms.
      4. Enable FIPS mode.
At this point you will need to reboot your Windows OS for the settings to be engaged.


    • Related Articles

    • How To: Harden SFTP settings in Titan Nextgen

      Related To Titan Nextgen Builds 2.x and above. Question How can I ensure my SFTP settings which include ciphers/Mac/Kex are as secure as possible? Reasoning I would like to minimize the risk of having a security issue in my organization by ...
    • 2019: Cornerstone MFT Server Release Notes

      Important Information Cornerstone MFT Server must be installed under an account that has full administrative rights to the computer on which the software is being installed.  To uninstall Cornerstone MFT Server, use the Add/Remove Programs feature of ...
    • 2019: How-To: Updating Titan FTP Server to the latest version

      Updating existing Titan FTP Server software to the most current version is the best way to ensure the security of your user's data. While outdated versions of Titan FTP Server should work indefinitely, security standards change and OS manufacturers ...
    • 2019: Titan FTP Server Release Notes

      Important Information Titan FTP Server must be installed under an account that has full administrative rights to the computer on which the software is being installed.  To uninstall Titan FTP Server, use the Add/Remove Programs feature of the Windows ...
    • 2019: How-To: Testing the bandwidth throughput for Titan FTP or Cornerstone MFT Server

      There may occur situations where file transfers are slower than expected and you will need to diagnose the source of the bottleneck. This article will walk through the process of testing transfer speeds at various endpoints to help determine the ...