Disable weak secure channel protocols

Microsoft Windows NT Server stores information about different security-enhanced channel protocols that Windows NT Server supports. This information is stored in the following registry key:
HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols

Typically, this key contains the following subkeys:

PCT 1.0
SSL 2.0
SSL 3.0
TLS 1.0
Each key holds information about the protocol for the key. Any one of these protocols can be disabled at the server. To do this, you create a new
DWORD
value in the server subkey of the protocol. You set the
DWORD
value to “00 00 00 00.”
Secure Socket Layer Protocol version 2 (SSL v2) has a serious vulnerability. Successful exploitation of this vulnerability would allow an attacker to execute arbitrary code in the context of the affected server. No authentication is required to reach the vulnerable code. No user interaction is required.Common Vulnerabilities and Exposures (CVE) classified the vulnerability under CVE-2004-0120. Microsoft identified such vulnerabilities in its security bulletin MS04-011, however, until today the default configuration for Windows 2000 and Windows 2003 has SSL v2.0 protocol enabled.

To disable SSL V2 protocol
—————————
1. Click Start, click Run, type regedt32 or type regedit, and then click OK.
2. In Registry Editor, locate the following registry key:
HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 2.0\Server
3. On the Edit menu, click Add Value.
4. In the Data Type list, click DWORD.
5. In the Value Name box, type Enabled, and then click OK.

Note If this value is present, double-click the value to edit its current value.
6. Type 00000000 in Binary Editor to set the value of the new key equal to “0”.
7. Click OK.
And restart the computer for the changes to take effect.

How to Disable SSLv2 on a Windows Server 2008 and Windows Server 2008 R2
————————————————————————

1.Open the registry and create a key named Server under the following entry :

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0

2.Under the registry key Server, create a DWORD value named “DisabledByDefault” and change the value data to “00000001”

3.Reboot the server

Note:For multiple systems ,export the reg key and import it on other systems.

Configure Microsoft IIS to not accept weak SSL ciphers
——————————————————-

You will need to modify the system’s registry.

Merge the following keys to the Windows registry:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]

“Enabled”=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]

“Enabled”=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]

“Enabled”=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]

“Enabled”=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]

“Enabled”=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]

“Enabled”=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128]

“Enabled”=dword:0000000

Restart the system and ensure that the server is functional. Also retest using OpenSSL to confirm that weak SSL ciphers are no longer accepted..

Advertisements

Posted on July 14, 2012, in Uncategorized. Bookmark the permalink. Leave a comment.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: