Solved

How would I disable PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0 in Internet Information Services?

Posted on 2014-07-29
8
2,919 Views
Last Modified: 2014-08-04
A Security Scan found that one of our boxes that is running Windows Server 2003 SP2  has the following vulnerability-

SSL Server Allows Anonymous Authentication Vulnerability

Suggested solution: disable PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0 in Internet Information Services.

What is the best way to accomplish this in Windows Server 2003?

Thanks
0
Comment
Question by:PDSWSS
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
8 Comments
 
LVL 12

Accepted Solution

by:
David Paris Vicente earned 500 total points
ID: 40228215
Before any alteration to registry keys you should have a backup.

I think this will do the trick.
Go to regedit
Locate the following key
HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\PCT 1.0\Server

Open in new window


Then Edit menu, click Add Value.
In the Data Type list, click DWORD.
In the Value Name box, type Enabled, and then click OK.

Note If this value is present, double-click the value to edit its current value and Type 00000000 in Binary Editor to set the value of the new key equal to "0".

Click OK. Restart the computer.

Hope this helps.
0
 

Author Comment

by:PDSWSS
ID: 40228326
Thanks. Will test tomorrow AM and let you know.
0
 

Author Comment

by:PDSWSS
ID: 40229312
David Paris Vicente

I applied your suggested setting to the registry.
Is there a way to test  whether   "SSL Server Allows Anonymous Authentication Vulnerability"  has been addressed without
asking our University to run another security scan?

Thanks
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 12

Assisted Solution

by:David Paris Vicente
David Paris Vicente earned 500 total points
ID: 40229641
Hi PDSWSS,

Thank you for your feedback, I forgot to mention that in case a second test continues to reporting vulnerabilities for PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0, you need to create the other keys for each of one.

Like you did before but for this ones to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server 

 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server 

Open in new window


And the DWORD Value = 0

The value DWORD= 0 Means disabled, the 1 value means enable.

I think this tool can do some of the tests you need.

Let us know if this helped.

Regards
0
 

Author Comment

by:PDSWSS
ID: 40229678
Thanks.
Please clarify - In your first post you said Dword value should = enabled

In your second post you said Dword should =  0   and   0  = disabled.
0
 
LVL 12

Expert Comment

by:David Paris Vicente
ID: 40230004
Sorry for not being clear.

I wanted to say that in the Value Name for the DWORD properties it is indeed Enabled and in the Value Data you should choose the Hexadecimal Base and insert the value 0.
This value has its equivalent in Binary to 00000000.

In binary 0 equals Disabled and opposite is 1, meaning Enabled.

As you want to disable it you should set the Value Data to 0. But if in the future you want to enable it, you have to change Value Data to 1.
See Example Attached. Example

And in my second post I mentioned other Key Regs that you need to change in case your security scan detects any vulnerability with the protocols mentioned on your question. "PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0"



I hope it helps.
0
 

Author Comment

by:PDSWSS
ID: 40231598
Thanks for clarifying. Will not be able to get to this until Monday AM. At that time will test and give you the points.
0
 

Author Comment

by:PDSWSS
ID: 40239442
Thanks for your help.
0

Featured Post

Free Webinar: AWS Backup & DR

Join our upcoming webinar with experts from AWS, CloudBerry Lab, and the Town of Edgartown IT to discuss best practices for simplifying online backup management and cutting costs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you are a web developer, you would be aware of the <iframe> tag in HTML. The <iframe> stands for inline frame and is used to embed another document within the current HTML document. The embedded document could be even another website.
As tax season makes its return, so does the increase in cyber crime and tax refund phishing that comes with it
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question