Categories: IIS SSL Windows

Disable SSL 3.0 in Windows Server

disable ssl 3.0 in windows server and linux

you can disable support for the ssl 3.0 protocol on windows by following these steps:

  1. click start, click run, type regedt32 or type regedit, and then click ok.
  2. in registry editor, locate the following registry key: hkey_local_machine\system\currentcontrolset\control\securityproviders\schannel\protocols\ssl 3.0\server
    note: if the complete registry key path does not exist, you can create it by expanding the available keys and using the new -> key option from the edit menu.
  3. on the edit menu, click add value.
  4. in the data type list, click dword.
  5. in the value name box, type enabled, and then click ok.
    note: if this value is present, double-click the value to edit its current value.
  6. in the edit dword (32-bit) value dialog box, type 0 .
  7. click ok. restart the computer.
note: this workaround will disable ssl 3.0 for all server software installed on a system, including iis. after applying this workaround, clients that rely only on ssl 3.0 will not be able to communicate with the server.

affected software

operating system
windows server 2003 service pack 2
windows server 2003 x64 edition service pack 2
windows server 2003 with sp2 for itanium-based systems
windows vista service pack 2
windows vista x64 edition service pack 2
windows server 2008 for 32-bit systems service pack 2
windows server 2008 for x64-based systems service pack 2
windows server 2008 for itanium-based systems service pack 2
windows 7 for 32-bit systems service pack 1
windows 7 for x64-based systems service pack 1
windows server 2008 r2 for x64-based systems service pack 1
windows server 2008 r2 for itanium-based systems service pack 1
windows 8 for 32-bit systems
windows 8 for x64-based systems
windows 8.1 for 32-bit systems
windows 8.1 for x64-based systems
windows server 2012
windows server 2012 r2
windows rt
windows rt 8.1
server core installation option
windows server 2008 for 32-bit systems service pack 2 (server core installation)
windows server 2008 for x64-based systems service pack 2 (server core installation)
windows server 2008 r2 for x64-based systems service pack 1 (server core installation)
windows server 2012 (server core installation)
windows server 2012 r2 (server core installation)

pending

vulnerability in ssl 3.0 could allow information disclosure

the ssl protocol 3.0, as used in openssl through 1.0.1i and other products, uses nondeterministic cbc padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the “poodle” issue.

the vulnerability, which is more formally known as cve-2014-0160, allows an attacker to read up to 64 kilobytes of memory per attack on any connected client or server. heartbleed got its name because it is a flaw in openssl’s implementation of the heartbeat extension for the tls and dtls protocols (rfc 6520).

the vulnerability, which is caused by poorly-written code, was discovered on the same day by google and codenomicon security researchers. the researchers quickly realized that an attacker could exploit the bug to exposeencrypted content, usernames, passwords, and private keys for x.509 certificates. because openssl is used by approximately 66% of all activewebsites on the internet, many experts have called heartbleed one of the worst security bugs in the history of the internet.

heartbleed vulnerabilities exist in all versions of openssl released between march 2012 and april 2014, at which time the software defect was corrected and openssl version 1.0.1g was released. to lessen the potential negative effects of heartbleed, openssl.org recommends that enterprises upgrade to the most recent version of openssl and reissue x.509 certificates with new keys.

microsoft is aware of detailed information that has been published describing a new method to exploit a vulnerability in ssl 3.0. this is an industry-wide vulnerability affecting the ssl 3.0 protocol itself and is not specific to the windows operating system. all supported versions of microsoft windows implement this protocol and are affected by this vulnerability. microsoft is not aware of attacks that try to use the reported vulnerability at this time. considering the attack scenario, this vulnerability is not considered high risk to customers.

microsoft is announcing that ssl 3.0 will be disabled in the default configuration of internet explorer and across microsoft online services over the coming months. we recommend customers migrate clients and services to more secure security protocols, such as tls 1.0, tls 1.1 or tls 1.2.

mitigating factors:

  • the attacker must make several hundred https requests before the attack could be successful.
  • tls 1.0, tls 1.1, tls 1.2, and all cipher suites that do not use cbc mode are not affected.

source (1): technet.microsoft.com
source (2): techtarget.com

Share
Disqus Comments Loading...

Recent Posts

FreeNAS Error Creating Pool

command '('gpart', 'create', '-s', 'gpt', '/dev/da8')' returned non-zero exit status 1. If you get this error while trying to create… Read More

May 14, 2019 8:22 am 08:22

Change Grub Default Boot Entry on Linux Mint

i'm dual booting windows and linux mint on my laptop. the grub default is to boot into linux mint, however… Read More

April 23, 2019 7:45 pm 19:45

How to Reset Secure Channel On Active Directory Domain Controller

when you're a little too careless about virtualizing your domain controllers, cloning, migrating, backing up and restoring, returning from vacation… Read More

April 21, 2019 8:14 am 08:14

Run SystemD Script Before System Shutdown

for the sheer hell of it, a few weeks ago i wanted to see if i could properly and successfully… Read More

April 20, 2019 10:14 am 10:14

Learn Systemctl Usage to Manage Systemd Service in Linux

systemd is new service manager for linux. it's a replacement for all previous init systems (sysv/sysvinit & ubuntu's upstart) and… Read More

April 20, 2019 7:55 am 07:55

Force Delete Windows Server DHCP Failover Relationship

if you've found yourself here then chances are you messed up one of your domain controllers or at least one… Read More

April 20, 2019 5:54 am 05:54