disable ssl v2 - server 2008 r2
According to this article,
http://support.microsoft.com/kb/187498
HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\PCT 1.0\Server
On the Edit menu, click Add Value.In the Data Type list, click DWORD.In the Value Name box, type Enabled, and then click
OK.
Note If this value is present, double-click the value to edit its current value.Type 00000000 in Binary Editor to set the value of the new key equal to "0".
I see on my server, in the location
HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSl 2.0\Client
There is a Reg_DWORD setting for DisabledByDefault = "1". Doesn't this accomplish the same end result?
April 4th, 2012 12:10pm
Hi,
Thats not the same. All communication is a two-way street, a client send request then server answers.
The settings DisabledByDefault"=dword:00000001 under client subentry, means client SSL 2.0 is disabled by default ( default on Windows Server 2008, 208R2 and Windows 7), means the computer will not use SSL 2.0 to initiate a client request.
While if your disable SSL 2.0 protocol follow procedure you posted above, it means the server will not answer a SSL 2.0 request.
For more information please refer to following MS articles:
Speaking in Ciphers and other Enigmatic tongues
http://blogs.technet.com/b/askds/archive/2011/05/04/speaking-in-ciphers-and-other-enigmatic-tongues.aspx
How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dll
http://support.microsoft.com/default.aspx?scid=kb;EN-US;245030
How to disable PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0 in Internet Information Services
http://support.microsoft.com/kb/187498
Lawrence
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
April 4th, 2012 11:21pm
Thanks for your response. I actually just tried to use the Microsoft fixit tool, the file that was downloaded is "MicrosoftFixit50495.msi"
When I ran it, it gave me the options for PCT1.0, SSL2.0, SSL 3.0 and TLS 1.0. I chose SSL2.0 because that's what all the talk is about here. It comes back with "This Microsoft Fixit does not apply to your operating system or application version.
Its Windows Server 2008 R2, sp1. So does the fixit tool not work, or does the OS not have this vulnerability? Or is there something else I need to do? I'm running "as administrator".
Help? : )
April 5th, 2012 4:08pm
Hi,
That fixit tool applies to:
Microsoft Internet Information Server 3.0Microsoft Internet Information Services 5.1Microsoft Internet Information Services 6.0Microsoft Internet Information Services 7.0
While Windows Server 2008R2 runs IIS 7.5 is not in the support list. You may disable SSL 2.0 manually.
For more information please refer to following MS articles:
How to disable PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0 in Internet Information Services
http://support.microsoft.com/kb/187498
Lawrence
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
April 5th, 2012 11:27pm