Solved

How do I Disable SSL3 on 2008R2

Posted on 2014-12-19
15
106 Views
Last Modified: 2015-03-26
I have tried http://support.microsoft.com/KB/187498. but every test I run says SSL3 is still enabled.
0
Comment
Question by:kcfconsulting
  • 7
  • 4
  • 3
  • +1
15 Comments
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 40510414
Powershell script to set security suites and reboot, check with ssl labs
set-oerfect-forward-security.ps1.txt
0
 
LVL 11

Assisted Solution

by:Tej Pratap Shukla ~Dexter
Tej Pratap Shukla ~Dexter earned 167 total points
ID: 40510482
Hello..

Before few days ago i was also facing the same problem. After searching a lot i found the answer that i want to share with you as it will be helpful to you.

Follow the following steps to resolve your problem:-

1) Click Start, click Run, type regedit, and then click OK.

2)In Registry Editor, locate the following registry key/folder:

HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

4) Right-click on the SSL 2.0 folder and select New and then click Key. Name the new folder Server.Inside the Server folder, click the Edit menu, select New, and click DWORD (32-bit) Value.

5) Enter Enabled as the name and hit Enter.

6) Ensure that it shows 0x00000000 (0) under the Data column (it should by default). If it doesn't, right-click and select Modify and enter 0 as the Value data.

8) Now to disable SSL 3.0, right-click on the SSL 3.0 folder and select New and then click Key. Name the new folder Server.

9) Inside the Server folder, click the Edit menu, select New, and click DWORD (32-bit) Value.

10) Enter Enabled as the name and hit Enter.

11) Ensure that it shows 0x00000000 (0) under the Data column (it should by default). If it doesn't, right-click and Select Modify and enter 0 as the Value data.

13) Restart the computer.

14) Verify that no SSL 2.0 or SSL 3.0 ciphers are available at ServerSniff.net or the Public SSL Server Database
0
 

Author Comment

by:kcfconsulting
ID: 40510732
I already did that as I stated in the question.  Unless I'm missing something, that is what http://support.microsoft.com/KB/187498 says.
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 40510738
what is the result from ssllabs.com ?
0
 

Author Comment

by:kcfconsulting
ID: 40510740
https://www.ssllabs.com/ssltest/  Tells me nothing about SSL3.  I ran it on a server with SSL3 disabled via the REG keys and all it did was give me a grade of "C".  Then I ran it a server with SSL3 wide open and it gave me a "B".
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 40510746
if you click on the ip address it will tell you the results of the test
https://www.ssllabs.com/ssltest/analyze.html?d=sklep.derform.com.pl&s=217.74.73.171
0
 

Author Comment

by:kcfconsulting
ID: 40510853
Duh!   Thanks!  But it still says SSL3 is open.  I have attached the SCHANNEL reg Key as a TXT file.
SCHANNEL.txt
0
Why are Office 365 signatures so complicated?

Trying to setup transport rules for Office 365 email signatures and can’t quite figure it out? Having to test the signature over and over? Make things simple by using Exclaimer Cloud - Signatures for Office 365.

 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 40511341
Did you run the script I provided and then reboot the machine and then test?
0
 
LVL 24

Assisted Solution

by:VB ITS
VB ITS earned 333 total points
ID: 40511500
If you'd like a way to do it via GUI you can have a look at IIS Crypto which is a free utility that can disable SSLv3: https://www.nartac.com/Products/IISCrypto/Default.aspx

I've used in on many web servers (2008, 2008 R2 and 2012 R2) for some web developer clients and it has worked fine on each occasion. Make sure you obviously right click and select Run as Administrator if you decide to use it.
0
 

Author Comment

by:kcfconsulting
ID: 40511607
I didn't run the script but I provided the reg key.  Is there something the script will do that isn't already there?

I already ran iiscrypto.  That's pretty much what setup the reg key the way it is now.
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40512968
Did you restart the server after you made the changes and before you ran the SSLv3 test(s)?

I hope you also at least backed up the registry keys before you made the changes to them? Always do this as best practice so you can revert back to the original settings in case something goes wrong or doesn't work as expected (like it has in this scenario).
0
 

Author Comment

by:kcfconsulting
ID: 40513023
Yes and Yes.
0
 
LVL 24

Accepted Solution

by:
VB ITS earned 333 total points
ID: 40513100
Alright, give this a shot: restore from the .reg backup file > reboot > run IIS Crypto as an administrator > disable SSL > reboot > test again using https://poodlebleed.com or https://www.ssllabs.com/ssltest/

If you opt for ssllabs, make sure you clear your browser cache as a precaution.
0
 

Author Comment

by:kcfconsulting
ID: 40513236
I already did that.
0
 

Author Comment

by:kcfconsulting
ID: 40690854
Found the problem.  It was another proccess running on 443 and not IIS.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Problem Description: Actually I found the below issue with some customers after migration from SMS 2003 to SCCM 2007 and epically if they change site code, some clients may appear in the console with old site code, plus old sites still appearing …
Issue: One Windows 2008 R2 64bit server on the network unable to connect to a buffalo Device (Linkstation) with firmware version 1.56. There are a total of four servers on the network this being one of them. Troubleshooting Steps: Connect via h…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now