Solved

How would I disable PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0 in Internet Information Services?

Posted on 2014-07-29
8
3,124 Views
Last Modified: 2014-08-04
A Security Scan found that one of our boxes that is running Windows Server 2003 SP2  has the following vulnerability-

SSL Server Allows Anonymous Authentication Vulnerability

Suggested solution: disable PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0 in Internet Information Services.

What is the best way to accomplish this in Windows Server 2003?

Thanks
0
Comment
Question by:PDSWSS
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
8 Comments
 
LVL 12

Accepted Solution

by:
David Paris Vicente earned 500 total points
ID: 40228215
Before any alteration to registry keys you should have a backup.

I think this will do the trick.
Go to regedit
Locate the following key
HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\PCT 1.0\Server

Open in new window


Then Edit menu, click Add Value.
In the Data Type list, click DWORD.
In the Value Name box, type Enabled, and then click OK.

Note If this value is present, double-click the value to edit its current value and Type 00000000 in Binary Editor to set the value of the new key equal to "0".

Click OK. Restart the computer.

Hope this helps.
0
 

Author Comment

by:PDSWSS
ID: 40228326
Thanks. Will test tomorrow AM and let you know.
0
 

Author Comment

by:PDSWSS
ID: 40229312
David Paris Vicente

I applied your suggested setting to the registry.
Is there a way to test  whether   "SSL Server Allows Anonymous Authentication Vulnerability"  has been addressed without
asking our University to run another security scan?

Thanks
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
LVL 12

Assisted Solution

by:David Paris Vicente
David Paris Vicente earned 500 total points
ID: 40229641
Hi PDSWSS,

Thank you for your feedback, I forgot to mention that in case a second test continues to reporting vulnerabilities for PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0, you need to create the other keys for each of one.

Like you did before but for this ones to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server 

 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server 

Open in new window


And the DWORD Value = 0

The value DWORD= 0 Means disabled, the 1 value means enable.

I think this tool can do some of the tests you need.

Let us know if this helped.

Regards
0
 

Author Comment

by:PDSWSS
ID: 40229678
Thanks.
Please clarify - In your first post you said Dword value should = enabled

In your second post you said Dword should =  0   and   0  = disabled.
0
 
LVL 12

Expert Comment

by:David Paris Vicente
ID: 40230004
Sorry for not being clear.

I wanted to say that in the Value Name for the DWORD properties it is indeed Enabled and in the Value Data you should choose the Hexadecimal Base and insert the value 0.
This value has its equivalent in Binary to 00000000.

In binary 0 equals Disabled and opposite is 1, meaning Enabled.

As you want to disable it you should set the Value Data to 0. But if in the future you want to enable it, you have to change Value Data to 1.
See Example Attached. Example

And in my second post I mentioned other Key Regs that you need to change in case your security scan detects any vulnerability with the protocols mentioned on your question. "PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0"



I hope it helps.
0
 

Author Comment

by:PDSWSS
ID: 40231598
Thanks for clarifying. Will not be able to get to this until Monday AM. At that time will test and give you the points.
0
 

Author Comment

by:PDSWSS
ID: 40239442
Thanks for your help.
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

631 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question