Solved

Cannot Pass A PCI Compliance Scan Because of SSLv2

Posted on 2013-06-03
2
451 Views
Last Modified: 2013-06-04
Trying to pass a PCI compliance scan via Control Scan but keeps failing due to SSLv2 or a weak cipher is enabled. All I see in the registry is SSLv2 and I have disabled it and restarted with no luck. I'm under the impression that SSLv3 is enabled by default after disabling SSLv2?
0
Comment
Question by:MasterComputing
2 Comments
 
LVL 26

Accepted Solution

by:
arober11 earned 500 total points
Comment Utility
What version of Windows Sever / IIS?

Have you checked you registry for the appropriate value e.g. To quote Microsoft:

1. Is it possible to disable SSLv2 on a DC so that secure LDAP communication is forced to use SSLv3 or TLSv1?
Yes it is possible to disable SSLv2 on a DC. Please find below the registry changes that has to be done on the DC to disable it,
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000
If the above registry key does not exist please create and reboot the server for the registry key to come into effect.
Refer Article: How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dll : http://support.microsoft.com/kb/245030/en-us


Also to be sure the SSL2 in not supported, grab yourself a copy of the OpenSSL tool, and scan your own site to see what's available, from a public network e.g.

openssl s_client -no_tls1 -no_ssl3 -connect www.yourHost.com:443

Open in new window


The OWASP project offers assorted info on how to test your own site.
0
 

Author Closing Comment

by:MasterComputing
Comment Utility
Under: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0,

Instead of Server, it was client that was set to DWORD=0. Added Server and passed the scan. Thanks!
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Explore the encryption capabilities built into Google Apps and how these features can help you meet privacy policy and regulatory compliance, but are not a full solution. Understand and compare the most popular email encryption services for Google A…
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now