Solved

Windows Small Business standard server needs to disable SSL2 and SSL3

Posted on 2014-12-30
8
294 Views
Last Modified: 2015-01-21
Hello I have a server that is up and running but it has fail a world pay scan for our credit card, it states that we have to disable SSL2 and SSL3 I have look around on the net but only seeing registry fixes and I am a bit nervous to just do it, do you know any other ways to disable this two connections
0
Comment
Question by:Deerek11
  • 3
  • 3
  • 2
8 Comments
 
LVL 7

Accepted Solution

by:
Deadman earned 250 total points
Comment Utility
There is no other way to do it. It's a vulnerability in the protocol.

In Windows Server 2003 to 2012 R2 the SSL / TLS protocols are controlled by flags in the registry set at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols.

To disable SSLv3, which the POODLE vulnerability is concerned with, create a subkey at the above location (if it's not already present) named SSL 3.0 and, under that, a subkey named Server (if it's not already present). At this location (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Server) create a DWORD value named Enabled and leave it set at 0.

Disabling SSL 2.0, which you should also be doing, is done the same way, except that you'll be using a key named SSL 2.0 in the above registry path.

check this link

http://support.microsoft.com/kb/245030
0
 

Author Comment

by:Deerek11
Comment Utility
I just did SSL2 but under protocols there is only SSL2 no SSL3 folder ...
0
 
LVL 4

Assisted Solution

by:Damien Kay
Damien Kay earned 250 total points
Comment Utility
I went through this with several SBS2003, SBS2008, and SBS2011 servers, as well as both a WSE2012 server and a WSE2012R2 server.  I combined all the Microsoft suggested Registry entries into one REG file, and merged it into the Registry on the server, and then rebooted. I've attached a text file that you can rename to a .REG file for merging.

I used the SSL Labs website to test my changes (I would run the test before and after merging the REG file):
  https://www.ssllabs.com/ssltest/ (using the external FQDN of the server).  

Older 2003 servers will never get a better grade than a C.  SBS2008 servers should be able to get a B, as they don't support TLS 1.2.

I have not attempted disabling the RC4 cipher yet, so my SBS2011 and WSE2012 servers are also capped at a B. This MS Technet Article describes how to completely disable RC4:
    http://support.microsoft.com/kb/2868725
Disable-SSL-Protocols.txt
0
 
LVL 7

Assisted Solution

by:Deadman
Deadman earned 250 total points
Comment Utility
To disable SSLv3  create SSL 3.0  a subkey at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols and again create Server subkey
2880599.png
create a DWORD value named Enabled and leave it set at 0.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:Deerek11
Comment Utility
Hello I just tried to run the scan for the network using https://www.ssllabs.com/ssltest/ but it will not allow IP address ... any suggestions?
0
 
LVL 4

Expert Comment

by:Damien Kay
Comment Utility
Do you have access to your domain DNS?  Since you have SSL Enabled, you have an SSL Certificate installed, so you must have a domain name associated with that in some way...
0
 

Author Comment

by:Deerek11
Comment Utility
Yes the domain name is with go daddy but world pay had us run it on that domain name at first and it failed with about 30 something critical errors they told me that was wrong I should run it within the network IP address so I did a what is my ip inside the network so we ran the scan on the IP address of the network
0
 
LVL 4

Assisted Solution

by:Damien Kay
Damien Kay earned 250 total points
Comment Utility
That is correct, an IP Address will not work.

First, for the SSL Certificate to work right, you must have a FQDN to browse to it.  That FQDN must resolve to the external IP Address of the server you are trying to secure.  It is that name that you must use in the SSLLABS test.  

A typical example of a FQDN for remote access to a WSE2012R2 server would be "https://remote.domain.com"

If you have some other configuration, please let me know so I can help you further...
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Windows storage spaces - raid10 14 61
IIS 7.5 to 8.0 6 69
Windows 2012 R2 ADFS Farm 3 37
Windows 10 Firewall question 5 31
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
In this Micro Tutorial viewers will learn how they can get their files copied out from their unbootable system without need to use recovery services. As an example non-bootable Windows 2012R2 installation is used which has boot problems.
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now