Link to home
Start Free TrialLog in
Avatar of kdschool
kdschool

asked on

SSL Registry Change Question

To make a change to SSL for the client and the server should I be using QWord or DWord.  I tried DWord and it's still flaggin as SSL 2.0 is running.  It is a 64 bit 2008 windows server.

Also Under Client or Server there is a default setting.  Should I remove this or set the value to on or off or just leave it as it is?

Default Reg_SZ  (value not set)
ASKER CERTIFIED SOLUTION
Avatar of Giovanni
Giovanni
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of kdschool
kdschool

ASKER

I did this and the scans they run still pick it up as open.  I read if it's a 64 bit server you have to use QWord instead DWord.  That is what I was asking?
Avatar of Giovanni
Giovanni
Flag of United States of America image
This applies for IIS.  If your using a web server service which is not IIS (such as Apache) then it will have its own configuration.  What service are you using?
Avatar of kdschool
kdschool

ASKER

IIS 7.5
Avatar of kdschool
kdschool

ASKER

When in the registry and I do new to select the item here is what I see in the menu

New DWord (32 bit value)
New QWord (64 bit value)

Since I am running a 64 bit OS should I pick the QWord.  The DWord did not work as it did not pass the scan.
Avatar of Giovanni
Giovanni
Flag of United States of America image
Run these commands from an elevated privileged command prompt (as Administrator) and test.

reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Server" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Server" /v Enabled /t REG_DWORD /d 0 /f
shutdown -r -t 0

Open in new window

Avatar of kdschool
kdschool

ASKER

Ok I found out I need to use the DWord.  Let me ask you this.  for an entry to be disabled do I use zero or 1 .  I thought 0 meant it is disabled.  Is this true for the ciphers also?
Avatar of Giovanni
Giovanni
Flag of United States of America image
Yes, 1 is true or on, and 0 is false or off, generally.  However, the net effect actually depends on the registry value and the developers intention behind it.

For example, DisabledByDefault = 1 would disable something, whereas DisabledByDefault = 0 would be enable it, because the value is DisabledByDefault.

Another value, Enabled = 1 would enable something, whereas Enabled = 0 would disabled it.

Make sense?