Windows: SSLv3 disable

Hello,

How would I check if SSLv3 is disabled in windows 2008 r2. is there any test I can perform locally to make sure sslv2 and sslv3 is disabled.  These servers cannot access internet.

Thanks for your assistance
Parity123Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

AmitIT ArchitectCommented:
If you have IIS on this server then SSL v2 and v3 are allowed by default. However, you can disable it via creating registry key. Read this
https://technet.microsoft.com/en-us/library/security/3009008.aspx

Check Server section, how to disable it.

How to check, you can use site like https://www.ssllabs.com/ssltest/index.html

However, I prefer not to use it.
Parity123Author Commented:
Thanks Amit, I want to check after disabling, it is indeed disabled. Is reg check the only method to confirm if it is disabled or is there any tool to confirm.The second link I cannot access because the servers cannot access internet
AmitIT ArchitectCommented:
Either you check via that site or reg key is the best to confirm that SSL V3 is disabled. I am also doing same for one my customer. Below are the issue  you might face.

1.       If you have apps that use weak ciphers they will fail as well.
2.       If you have apps that poorly written and using old ssl standards they too will fail.

If your servers are not open to internet, you can leave it. I only implemented on servers, which are directly access via internet like web servers.
Parity123Author Commented:
Thanks Amit for sharing the info. Could you please let me know if there are any known applications that can cause issues.

Some of the servers have internet access, I was trying to write a script to validate that sslv3 is disabled on all servers. I will just check the reg key for now.

Did you have any issues with print servers etc
AmitIT ArchitectCommented:
I am still working with customer and reviewing the risk. You might need to involve your application teams and let them know about this change. Planning might take time, implementation is easy. In case you see any issue, remove the key. However you need a restart.

I am not sure, how big your IT environment. However, for me it is mammoth. As I need to implement in 5 forest.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.