Solved

how to disable sslv3 for all my computers

Posted on 2014-11-03
8
239 Views
Last Modified: 2014-11-11
how to disable sslv3 for all my computers, do anyone have any ideas?
http://www.saotn.org/time-disable-sslv3-or-what/
0
Comment
Question by:NxJNY
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +1
8 Comments
 
LVL 14

Assisted Solution

by:John-Charles-Herzberg
John-Charles-Herzberg earned 150 total points
ID: 40419448
If you need to Disabling POODLE  SSLv3 Support in Browsers this is how you do it.

https://zmap.io/sslv3/browsers.html
0
 
LVL 7

Expert Comment

by:Stampel
ID: 40419469
SSLv3 need to be disabled on the server side only
0
 
LVL 2

Author Comment

by:NxJNY
ID: 40419536
Thanks Guys

@ John-Charles-Herzberg - i was hoping for a solution to disable all PC's via script or some other tool rather than doing one PC at a time.

@ Stampel - are you sure if we disable only server side it will not affect the local PC's
0
Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

 
LVL 7

Expert Comment

by:Stampel
ID: 40419745
Nop It won't, SSL will fallback to SSLv2 (assuming you had SSLv2 Cypher on server side, but who would not ? And you will review this when configuring server.)
0
 
LVL 69

Accepted Solution

by:
Qlemo earned 350 total points
ID: 40431106
At least for IE you can run the MS FixIt or a Group Policy, as described in the MS Security Advisory at https://technet.microsoft.com/en-us/library/security/3009008.aspx . The FixIt can be called with MSI options, I recommend /passive to not get any prompts.

As https://zmap.io/sslv3/browsers.html and other sources tell, you need to change the startup options for Chrome - no setting there. The best automated approach here is the described change of the registry, which can be done with a batch. The batch only acts if Chrome is the default browser.
@echo off
setlocal EnableDelayedExpansion
for /F "tokens=2*" %A in ('reg query HKCR\http\shell\open\command ^| find "Chrome" ') do (
  set val=%%B
  set val=!val:"=""""!
  reg add HKCR\http\shell\open\command /f /ve /t Reg_SZ /d "!val:-- =--ssl-version-min=tls1 -- !"
)

Open in new window


But: Chrome and FireFox will receive updates (if not already done) to disable SSLv3 by default.
And to use an exploit, an attacker needs local, direct access to the victim, and so needs to be in (W)LAN etc.
And of course you need to make sure that the client does not allow SSLv3 to be certain it is not used. You do not have control over all servers, and contacting any unpatched server opens the client up to the attack (if all the other requirements are met, of course). It is not safe to rely on proper server settings.
0
 
LVL 69

Expert Comment

by:Qlemo
ID: 40435999
Any reason for "B" grade? I'm pretty certain my anser was worth more than that.
0
 
LVL 2

Author Comment

by:NxJNY
ID: 40436006
sorry the B grade was a mistake i meant A - any idea how to change it?
0

Featured Post

Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One of the biggest threats facing all high-value targets are APT's.  These threats include sophisticated tactics that "often starts with mapping human organization and collecting intelligence on employees, who are nowadays a weaker link than network…
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question