November 6, 2014 at 13:08How to protect your Windows server from POODLE SSLv3 vulnerability
In a previous post about the POODLE vulnerability, I lost sight of Windows-based servers, focusing on Unix software.
But judging by the statistics of popularity of web servers, Microsoft-IIS occupies 13.5%, and the third place in the top three, leaving all other web servers far behind.
And in the comments no one paid attention to the annoying omission, and I am correcting this article.
The information is current for Windows Server 2008 and IIS 7.5.
UPD : Habrauser Ivan_83 previously examined more widely in his article aspects of improving security on Windows 7, which also applies to other versions of Windows.
All changes will be made in the registry, so the first thing to do is to back it up:
start the registry editor regedit -> File -> Export
After the backup is done, proceed directly to make changes to the registry to disable SSLv2 and enable TLS.
Disabling SSLv2 / SSLv3
In the registry editor, go to HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SecurityProviders \ SCHANNEL \ Protocols \ SSL 2.0 \ Server
If there is no Server section, you need to create it.
Then create a DWORD parameter (32 bits) with the name “Enabled” and a value of 0.
Repeat the same for the Client section.
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SecurityProviders \ SCHANNEL \ Protocols \ SSL 2.0 \ Client
To disable SSLv3, repeat the procedure for the SSL 3.0 section.
Enabling TLS
Enabling the TLS encryption algorithm follows a similar scenario.
Using the regedit registry editor, go to HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SecurityProviders \ SCHANNEL \ Protocols
And create the TLS 1.1 section and the Client and Server subkeys inside it.
Just like when SSLv2 was disabled, create two DWORD parameters (32 bits): with the name "Enabled" and a value of 1; and with the name DisabledByDefault and a value of 0.
After all the changes made, you should restart the server.
As a bonus for those who have read to this place:
For IIS, there is a free tool called IISCrypto, which can be found at: https://www.nartac.com/Products/IISCrypto/Default.aspx The
application runs under Windows Server 2003, 2008 and 2012 and allows you to enable or disable in two clicks any of the encryption protocols. And also check the remote web server.
For convenience, even prepared templates. With which you can use presets for various options for security settings.
But judging by the statistics of popularity of web servers, Microsoft-IIS occupies 13.5%, and the third place in the top three, leaving all other web servers far behind.
And in the comments no one paid attention to the annoying omission, and I am correcting this article.
The information is current for Windows Server 2008 and IIS 7.5.
UPD : Habrauser Ivan_83 previously examined more widely in his article aspects of improving security on Windows 7, which also applies to other versions of Windows.
All changes will be made in the registry, so the first thing to do is to back it up:
start the registry editor regedit -> File -> Export
After the backup is done, proceed directly to make changes to the registry to disable SSLv2 and enable TLS.
Disabling SSLv2 / SSLv3
In the registry editor, go to HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SecurityProviders \ SCHANNEL \ Protocols \ SSL 2.0 \ Server
If there is no Server section, you need to create it.
Then create a DWORD parameter (32 bits) with the name “Enabled” and a value of 0.
Repeat the same for the Client section.
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SecurityProviders \ SCHANNEL \ Protocols \ SSL 2.0 \ Client
To disable SSLv3, repeat the procedure for the SSL 3.0 section.
Enabling TLS
Enabling the TLS encryption algorithm follows a similar scenario.
Using the regedit registry editor, go to HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SecurityProviders \ SCHANNEL \ Protocols
And create the TLS 1.1 section and the Client and Server subkeys inside it.
Just like when SSLv2 was disabled, create two DWORD parameters (32 bits): with the name "Enabled" and a value of 1; and with the name DisabledByDefault and a value of 0.
After all the changes made, you should restart the server.
As a bonus for those who have read to this place:
For IIS, there is a free tool called IISCrypto, which can be found at: https://www.nartac.com/Products/IISCrypto/Default.aspx The
application runs under Windows Server 2003, 2008 and 2012 and allows you to enable or disable in two clicks any of the encryption protocols. And also check the remote web server.
For convenience, even prepared templates. With which you can use presets for various options for security settings.