Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 754
  • Last Modified:

SSL Registry Change Question

To make a change to SSL for the client and the server should I be using QWord or DWord.  I tried DWord and it's still flaggin as SSL 2.0 is running.  It is a 64 bit 2008 windows server.

Also Under Client or Server there is a default setting.  Should I remove this or set the value to on or off or just leave it as it is?

Default Reg_SZ  (value not set)
0
kdschool
Asked:
kdschool
  • 4
  • 4
1 Solution
 
Giovanni HewardCommented:
I recommend you use IIS Crypto.  If you prefer the manual method, see article below for detailed explanation.   Either way, you'll need to restart the server for the changes to take effect.  Validate with SSLScan or Qualys SSL site analyzer (recommended.)

Default Reg_SZ value is normal and should be left alone.

How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll
http://support.microsoft.com/default.aspx?scid=kb;EN-US;245030

The following example disables SSL 2.0 for the server and also SSL 2.0 for the client.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Client]
"DisabledByDefault"=dword:00000001 <Default client disabled>

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000 <Disables SSL 2.0 server-side>

After you do take this action, you have to restart the server.
0
 
kdschoolAuthor Commented:
I did this and the scans they run still pick it up as open.  I read if it's a 64 bit server you have to use QWord instead DWord.  That is what I was asking?
0
 
Giovanni HewardCommented:
This applies for IIS.  If your using a web server service which is not IIS (such as Apache) then it will have its own configuration.  What service are you using?
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
kdschoolAuthor Commented:
IIS 7.5
0
 
kdschoolAuthor Commented:
When in the registry and I do new to select the item here is what I see in the menu

New DWord (32 bit value)
New QWord (64 bit value)

Since I am running a 64 bit OS should I pick the QWord.  The DWord did not work as it did not pass the scan.
0
 
Giovanni HewardCommented:
Run these commands from an elevated privileged command prompt (as Administrator) and test.

reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Server" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Server" /v Enabled /t REG_DWORD /d 0 /f
shutdown -r -t 0

Open in new window

0
 
kdschoolAuthor Commented:
Ok I found out I need to use the DWord.  Let me ask you this.  for an entry to be disabled do I use zero or 1 .  I thought 0 meant it is disabled.  Is this true for the ciphers also?
0
 
Giovanni HewardCommented:
Yes, 1 is true or on, and 0 is false or off, generally.  However, the net effect actually depends on the registry value and the developers intention behind it.

For example, DisabledByDefault = 1 would disable something, whereas DisabledByDefault = 0 would be enable it, because the value is DisabledByDefault.

Another value, Enabled = 1 would enable something, whereas Enabled = 0 would disabled it.

Make sense?
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now