Solved

How would I disable PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0 in Internet Information Services?

Posted on 2014-07-29
8
2,524 Views
Last Modified: 2014-08-04
A Security Scan found that one of our boxes that is running Windows Server 2003 SP2  has the following vulnerability-

SSL Server Allows Anonymous Authentication Vulnerability

Suggested solution: disable PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0 in Internet Information Services.

What is the best way to accomplish this in Windows Server 2003?

Thanks
0
Comment
Question by:PDSWSS
  • 5
  • 3
8 Comments
 
LVL 12

Accepted Solution

by:
David Paris Vicente earned 500 total points
ID: 40228215
Before any alteration to registry keys you should have a backup.

I think this will do the trick.
Go to regedit
Locate the following key
HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\PCT 1.0\Server

Open in new window


Then Edit menu, click Add Value.
In the Data Type list, click DWORD.
In the Value Name box, type Enabled, and then click OK.

Note If this value is present, double-click the value to edit its current value and Type 00000000 in Binary Editor to set the value of the new key equal to "0".

Click OK. Restart the computer.

Hope this helps.
0
 

Author Comment

by:PDSWSS
ID: 40228326
Thanks. Will test tomorrow AM and let you know.
0
 

Author Comment

by:PDSWSS
ID: 40229312
David Paris Vicente

I applied your suggested setting to the registry.
Is there a way to test  whether   "SSL Server Allows Anonymous Authentication Vulnerability"  has been addressed without
asking our University to run another security scan?

Thanks
0
 
LVL 12

Assisted Solution

by:David Paris Vicente
David Paris Vicente earned 500 total points
ID: 40229641
Hi PDSWSS,

Thank you for your feedback, I forgot to mention that in case a second test continues to reporting vulnerabilities for PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0, you need to create the other keys for each of one.

Like you did before but for this ones to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server 

 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server 

Open in new window


And the DWORD Value = 0

The value DWORD= 0 Means disabled, the 1 value means enable.

I think this tool can do some of the tests you need.

Let us know if this helped.

Regards
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:PDSWSS
ID: 40229678
Thanks.
Please clarify - In your first post you said Dword value should = enabled

In your second post you said Dword should =  0   and   0  = disabled.
0
 
LVL 12

Expert Comment

by:David Paris Vicente
ID: 40230004
Sorry for not being clear.

I wanted to say that in the Value Name for the DWORD properties it is indeed Enabled and in the Value Data you should choose the Hexadecimal Base and insert the value 0.
This value has its equivalent in Binary to 00000000.

In binary 0 equals Disabled and opposite is 1, meaning Enabled.

As you want to disable it you should set the Value Data to 0. But if in the future you want to enable it, you have to change Value Data to 1.
See Example Attached. Example

And in my second post I mentioned other Key Regs that you need to change in case your security scan detects any vulnerability with the protocols mentioned on your question. "PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0"



I hope it helps.
0
 

Author Comment

by:PDSWSS
ID: 40231598
Thanks for clarifying. Will not be able to get to this until Monday AM. At that time will test and give you the points.
0
 

Author Comment

by:PDSWSS
ID: 40239442
Thanks for your help.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now