Solved

How would I disable PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0 in Internet Information Services?

Posted on 2014-07-29
8
2,642 Views
Last Modified: 2014-08-04
A Security Scan found that one of our boxes that is running Windows Server 2003 SP2  has the following vulnerability-

SSL Server Allows Anonymous Authentication Vulnerability

Suggested solution: disable PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0 in Internet Information Services.

What is the best way to accomplish this in Windows Server 2003?

Thanks
0
Comment
Question by:PDSWSS
  • 5
  • 3
8 Comments
 
LVL 12

Accepted Solution

by:
David Paris Vicente earned 500 total points
ID: 40228215
Before any alteration to registry keys you should have a backup.

I think this will do the trick.
Go to regedit
Locate the following key
HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\PCT 1.0\Server

Open in new window


Then Edit menu, click Add Value.
In the Data Type list, click DWORD.
In the Value Name box, type Enabled, and then click OK.

Note If this value is present, double-click the value to edit its current value and Type 00000000 in Binary Editor to set the value of the new key equal to "0".

Click OK. Restart the computer.

Hope this helps.
0
 

Author Comment

by:PDSWSS
ID: 40228326
Thanks. Will test tomorrow AM and let you know.
0
 

Author Comment

by:PDSWSS
ID: 40229312
David Paris Vicente

I applied your suggested setting to the registry.
Is there a way to test  whether   "SSL Server Allows Anonymous Authentication Vulnerability"  has been addressed without
asking our University to run another security scan?

Thanks
0
 
LVL 12

Assisted Solution

by:David Paris Vicente
David Paris Vicente earned 500 total points
ID: 40229641
Hi PDSWSS,

Thank you for your feedback, I forgot to mention that in case a second test continues to reporting vulnerabilities for PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0, you need to create the other keys for each of one.

Like you did before but for this ones to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server 

 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server 

Open in new window


And the DWORD Value = 0

The value DWORD= 0 Means disabled, the 1 value means enable.

I think this tool can do some of the tests you need.

Let us know if this helped.

Regards
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 

Author Comment

by:PDSWSS
ID: 40229678
Thanks.
Please clarify - In your first post you said Dword value should = enabled

In your second post you said Dword should =  0   and   0  = disabled.
0
 
LVL 12

Expert Comment

by:David Paris Vicente
ID: 40230004
Sorry for not being clear.

I wanted to say that in the Value Name for the DWORD properties it is indeed Enabled and in the Value Data you should choose the Hexadecimal Base and insert the value 0.
This value has its equivalent in Binary to 00000000.

In binary 0 equals Disabled and opposite is 1, meaning Enabled.

As you want to disable it you should set the Value Data to 0. But if in the future you want to enable it, you have to change Value Data to 1.
See Example Attached. Example

And in my second post I mentioned other Key Regs that you need to change in case your security scan detects any vulnerability with the protocols mentioned on your question. "PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0"



I hope it helps.
0
 

Author Comment

by:PDSWSS
ID: 40231598
Thanks for clarifying. Will not be able to get to this until Monday AM. At that time will test and give you the points.
0
 

Author Comment

by:PDSWSS
ID: 40239442
Thanks for your help.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
In this video I am going to show you how to back up and restore Office 365 mailboxes using CodeTwo Backup for Office 365. Learn more about the tool used in this video here: http://www.codetwo.com/backup-for-office-365/ (http://www.codetwo.com/ba…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now