Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

How do I Disable SSL3 on 2008R2

Posted on 2014-12-19
15
Medium Priority
?
127 Views
Last Modified: 2015-03-26
I have tried http://support.microsoft.com/KB/187498. but every test I run says SSL3 is still enabled.
0
Comment
Question by:kcfconsulting
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
  • 3
  • +1
15 Comments
 
LVL 83

Expert Comment

by:David Johnson, CD, MVP
ID: 40510414
Powershell script to set security suites and reboot, check with ssl labs
set-oerfect-forward-security.ps1.txt
0
 
LVL 12

Assisted Solution

by:Tej Pratap Shukla ~Dexter
Tej Pratap Shukla ~Dexter earned 668 total points
ID: 40510482
Hello..

Before few days ago i was also facing the same problem. After searching a lot i found the answer that i want to share with you as it will be helpful to you.

Follow the following steps to resolve your problem:-

1) Click Start, click Run, type regedit, and then click OK.

2)In Registry Editor, locate the following registry key/folder:

HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

4) Right-click on the SSL 2.0 folder and select New and then click Key. Name the new folder Server.Inside the Server folder, click the Edit menu, select New, and click DWORD (32-bit) Value.

5) Enter Enabled as the name and hit Enter.

6) Ensure that it shows 0x00000000 (0) under the Data column (it should by default). If it doesn't, right-click and select Modify and enter 0 as the Value data.

8) Now to disable SSL 3.0, right-click on the SSL 3.0 folder and select New and then click Key. Name the new folder Server.

9) Inside the Server folder, click the Edit menu, select New, and click DWORD (32-bit) Value.

10) Enter Enabled as the name and hit Enter.

11) Ensure that it shows 0x00000000 (0) under the Data column (it should by default). If it doesn't, right-click and Select Modify and enter 0 as the Value data.

13) Restart the computer.

14) Verify that no SSL 2.0 or SSL 3.0 ciphers are available at ServerSniff.net or the Public SSL Server Database
0
 

Author Comment

by:kcfconsulting
ID: 40510732
I already did that as I stated in the question.  Unless I'm missing something, that is what http://support.microsoft.com/KB/187498 says.
0
[Webinar] Lessons on Recovering from Petya

Skyport is working hard to help customers recover from recent attacks, like the Petya worm. This work has brought to light some important lessons. New malware attacks like this can take down your entire environment. Learn from others mistakes on how to prevent Petya like worms.

 
LVL 83

Expert Comment

by:David Johnson, CD, MVP
ID: 40510738
what is the result from ssllabs.com ?
0
 

Author Comment

by:kcfconsulting
ID: 40510740
https://www.ssllabs.com/ssltest/  Tells me nothing about SSL3.  I ran it on a server with SSL3 disabled via the REG keys and all it did was give me a grade of "C".  Then I ran it a server with SSL3 wide open and it gave me a "B".
0
 
LVL 83

Expert Comment

by:David Johnson, CD, MVP
ID: 40510746
if you click on the ip address it will tell you the results of the test
https://www.ssllabs.com/ssltest/analyze.html?d=sklep.derform.com.pl&s=217.74.73.171
0
 

Author Comment

by:kcfconsulting
ID: 40510853
Duh!   Thanks!  But it still says SSL3 is open.  I have attached the SCHANNEL reg Key as a TXT file.
SCHANNEL.txt
0
 
LVL 83

Expert Comment

by:David Johnson, CD, MVP
ID: 40511341
Did you run the script I provided and then reboot the machine and then test?
0
 
LVL 24

Assisted Solution

by:VB ITS
VB ITS earned 1332 total points
ID: 40511500
If you'd like a way to do it via GUI you can have a look at IIS Crypto which is a free utility that can disable SSLv3: https://www.nartac.com/Products/IISCrypto/Default.aspx

I've used in on many web servers (2008, 2008 R2 and 2012 R2) for some web developer clients and it has worked fine on each occasion. Make sure you obviously right click and select Run as Administrator if you decide to use it.
0
 

Author Comment

by:kcfconsulting
ID: 40511607
I didn't run the script but I provided the reg key.  Is there something the script will do that isn't already there?

I already ran iiscrypto.  That's pretty much what setup the reg key the way it is now.
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40512968
Did you restart the server after you made the changes and before you ran the SSLv3 test(s)?

I hope you also at least backed up the registry keys before you made the changes to them? Always do this as best practice so you can revert back to the original settings in case something goes wrong or doesn't work as expected (like it has in this scenario).
0
 

Author Comment

by:kcfconsulting
ID: 40513023
Yes and Yes.
0
 
LVL 24

Accepted Solution

by:
VB ITS earned 1332 total points
ID: 40513100
Alright, give this a shot: restore from the .reg backup file > reboot > run IIS Crypto as an administrator > disable SSL > reboot > test again using https://poodlebleed.com or https://www.ssllabs.com/ssltest/

If you opt for ssllabs, make sure you clear your browser cache as a precaution.
0
 

Author Comment

by:kcfconsulting
ID: 40513236
I already did that.
0
 

Author Comment

by:kcfconsulting
ID: 40690854
Found the problem.  It was another proccess running on 443 and not IIS.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On a regular basis I get questions about slow RDP performance, RDP connection problems, strange errors and even BSOD, remote computers freezing or restarting after initiation of a remote session. In a lot of this cases the quick solutions made b…
Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip is around source server preparation. No migration is an easy migration, there is a…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question