Disable SSLv2 for Windows Server 2003

June 21, 2008

This is a followon from my last post about weak SSL ciphers but they kind of go hand in hand.  SSLv3 offers a few security improvements over SSLv2 and is supported by the majority of new browsers.  What we will do in this post is disable the ability for a client co choose to use SSLv2 if connected to your webserver that has SSLv2 disabled.  To accomplish this we will need to do the following.

Open regedit and find the key

HKLMSYSTEM|CurrentControlSetControlSecurityProvidersSCHANNELProtocols

Now for SSL 2.0 you will want to create a new DWORD value named Enabled with a data value of 0 in Hex in both the client and server subkeys.  This will disable the ability for the server to use or allow the use of SSLv2 during the use of SSL.  You can also create a registry import like the following.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 2.0]

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 2.0Client]
“Enabled”=dword:00000000

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 2.0Server]
“Enabled”=dword:00000000

Again with this one, Nessus will find the vulnerability fairly easy so their is almost no reason to have it running. Nessus’ vulnerability will be displayed as “Synopsis : The remote service encrypts traffic using a protocol with known weaknesses.”

NOTE: This change may break clients/servers/applications so I take no responsibility for YOUR actions.

Leave a Reply

Your email address will not be published. Required fields are marked *


*