Solved

SSL Registry Change Question

Posted on 2014-04-18
8
704 Views
Last Modified: 2014-04-18
To make a change to SSL for the client and the server should I be using QWord or DWord.  I tried DWord and it's still flaggin as SSL 2.0 is running.  It is a 64 bit 2008 windows server.

Also Under Client or Server there is a default setting.  Should I remove this or set the value to on or off or just leave it as it is?

Default Reg_SZ  (value not set)
0
Comment
Question by:kdschool
  • 4
  • 4
8 Comments
 
LVL 14

Accepted Solution

by:
Giovanni Heward earned 500 total points
ID: 40008764
I recommend you use IIS Crypto.  If you prefer the manual method, see article below for detailed explanation.   Either way, you'll need to restart the server for the changes to take effect.  Validate with SSLScan or Qualys SSL site analyzer (recommended.)

Default Reg_SZ value is normal and should be left alone.

How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll
http://support.microsoft.com/default.aspx?scid=kb;EN-US;245030

The following example disables SSL 2.0 for the server and also SSL 2.0 for the client.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Client]
"DisabledByDefault"=dword:00000001 <Default client disabled>

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000 <Disables SSL 2.0 server-side>

After you do take this action, you have to restart the server.
0
 

Author Comment

by:kdschool
ID: 40008806
I did this and the scans they run still pick it up as open.  I read if it's a 64 bit server you have to use QWord instead DWord.  That is what I was asking?
0
 
LVL 14

Expert Comment

by:Giovanni Heward
ID: 40008809
This applies for IIS.  If your using a web server service which is not IIS (such as Apache) then it will have its own configuration.  What service are you using?
0
 

Author Comment

by:kdschool
ID: 40008833
IIS 7.5
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 

Author Comment

by:kdschool
ID: 40008842
When in the registry and I do new to select the item here is what I see in the menu

New DWord (32 bit value)
New QWord (64 bit value)

Since I am running a 64 bit OS should I pick the QWord.  The DWord did not work as it did not pass the scan.
0
 
LVL 14

Expert Comment

by:Giovanni Heward
ID: 40008847
Run these commands from an elevated privileged command prompt (as Administrator) and test.

reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Server" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Server" /v Enabled /t REG_DWORD /d 0 /f
shutdown -r -t 0

Open in new window

0
 

Author Comment

by:kdschool
ID: 40008918
Ok I found out I need to use the DWord.  Let me ask you this.  for an entry to be disabled do I use zero or 1 .  I thought 0 meant it is disabled.  Is this true for the ciphers also?
0
 
LVL 14

Expert Comment

by:Giovanni Heward
ID: 40008935
Yes, 1 is true or on, and 0 is false or off, generally.  However, the net effect actually depends on the registry value and the developers intention behind it.

For example, DisabledByDefault = 1 would disable something, whereas DisabledByDefault = 0 would be enable it, because the value is DisabledByDefault.

Another value, Enabled = 1 would enable something, whereas Enabled = 0 would disabled it.

Make sense?
0

Featured Post

Do email signature updates give you a headache?

Constantly trying to correctly format email signatures? Spending all of your time at every user’s desk to make updates? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you migrate a Terminal Server licenses server inside the 2008 server family, you can takte advantage of the build-in migration tool. If you like to migrate an older 2003 Server (and the installed client CALs) to a 2008 R2 server for example, you …
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…

896 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now