Disable SSL 2.0, Enable SSL 3.0 Windows Server 2008

I was told I have to disable the SSL 2.0 protocal (McAffe Scan) and enable the 3.0.  My registry on this server show ony under security providers, SCHANNEL, protocols, SSL 2.0 the following.  I have SSL certificates installed and running on this server.

Name DisabledByDefault
Type ReG_DWORD
Data ox1  

I only see the SSL 2.0 protocol in the registry.  Do I have to add the 3.0 and then disable the 2.0 and if so how do I do that?  
Someone told me windows 2008R2 server automatically uses 3.0 and does not use the 2.0 is there a way to tell which protocal is active from the interface?
kdschoolAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Nathan PSystems ArchitectCommented:
You're looking in the correct place...

HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

You need to right click the "Protocols" folder and select "New - Key", Then call it "SSL 3.0"

Then right click the "SSL 3.0" folder, and select "New - Key", and call it "Server"

Then right click the "Server" folder, select "New - DWORD (32-bit) Value"  (ignore if yours doesn't say 32bit, just pick it anyways.. )

Type in the name "Disabled by Default".  Double click the new entry, enter Value data of '0' in Decimal.

YOU MUST restart the machine for this to take effect!!

You want a value of 0 for ON and a value of 1 for OFF.

So set SSL 3.0 for 0, and SSL 2.0 for 1..

Or use this ace tool to do it all for you:  https://www.nartac.com/Products/IISCrypto/Default.aspx
0
kdschoolAuthor Commented:
It looks pretty straight forward on how to change the Shannel registry key.  Can you give me an example of how to modify the ciphers in the registry manually that these articles are saying must be updated.

If I use the tool for server 2003 I have to install the hotfix first then enable 3.0 and disable 2.0?

If I disable 2.0 and 3.0 does not work will my certificates using SSL stop working.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Nathan PSystems ArchitectCommented:
SSL version 3.0, released in 1996, .......   Newer versions of SSL/TLS are based on SSL 3.0. The 1996 draft of SSL 3.0 was published by IETF as a historical document in RFC 6101.  (from the SSL wikipedia page)

SSL 3.0 will work just fine.  Heck, you can turn it off most of the time leaving only TLS 1.0, 1.1 & 1.2 operating.

You're right, if you turn it off, and something is wrong, you may need to look into it, but you can easily re-set the registry to how it was if you take a screenshot of what it looked like before you make the changes.

Anyways:  How to disable the Ciphers:

In each of the following registry subkeys, you will need to right click and create a new DWORD of the following: “Enabled”=dword:00000000 This will essentially disable the selected weak ciphers and protocols that are security vulnerabilities.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128

Here's the area of the registry you're looking at:
ciphers.PNG
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
kdschoolAuthor Commented:
This is such good information.  I always get scared when touching the registry.  Will this process work for both the windows server 2003 and a windows server 2008?
0
Nathan PSystems ArchitectCommented:
Yes, the process is unchanged in Server 2003 and 2008.

Again, I'll state that I use an automated tool to complete all the changes for me, and this tool does all the registry editing for you!

https://www.nartac.com/Products/IISCrypto/Default.aspx

Just download it, copy it to your server, Run it once, and click either PCI or FIPS 140-2 (the second one is more secure) and all the work is DONE!

(Then reboot to make the changes)
0
kdschoolAuthor Commented:
If i use the tool it says for the windows 2003 server I should put the patch on first is this correct?
0
kdschoolAuthor Commented:
I have the tool downloaded to my windows 2008 server.  I see there are many other selections that are already look like they are greyed out and checked.  Is the tool looking at my server and telling me these are the items already applied?  It looks like all the correct ciphers are already checked.  Looks like I need to un check the 2.0 all items before that that are lower protocols.  then there are the hashes, key exchanges and SSL ciper Suite order and all of that is already checked and greyed out.

I don't see any instructions on how do this am I making the correct assumptions before I apply it?
0
Nathan PSystems ArchitectCommented:
If there is a Microsoft patch, (none mentioned in this discussion so far), then feel free to apply it first.

All the greyed out and checked options are Window's default, and it's showing you exactly how your server is set right now.

Click the PCI button in the bottom right, and it will show you how it would set it if you wished to be PCI standards compliant (a credit card industry standard).   (same for the FIPS 140-2 button, except it will turn off even more weaker options, leaving you even more secure)

Changes will ONLY be applied if you hit 'Apply', so if you don't want to change that much, then just quit the App..  

Of course, you can check and uncheck the buttons all you like if you wish to do it manually.  Then click "Apply" to apply your changes.

Best of luck!
0
kdschoolAuthor Commented:
I used the tool and applied and it told me to do a reboot.  Everything is up running and SSL is working but the registry values did not change.  Should it have updated those for me.  I attached the print screen
registryPostIISCrypto.docx
0
kdschoolAuthor Commented:
I am closing this question out.  I had to do this manually.  So grateful for all your time and effort.  I could not have accomplished this without all your input.
0
kdschoolAuthor Commented:
LectricX stuck with me through all my stupid questions and I finally got there. The tool allowed me to see what was already set on the server so that was amazing and I just made the changes manually like he provided in his step by step instructions.  This person is amazing. Thank you so much.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.