Disabling SSLv2 in SBS2008
Psychopasta
For credit-card (PCI) compliance reasons I have to disable support for SSLv2
on my SBS2008 box. Like a good boy, I read the KB article 187498, called 'How
to disable PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0 in Internet Information
Services'. Unfortunately, the advice there does not match up with what I see
in the regsitry editor of my SBS2008 machine.
The article refers to
HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders
\SCHANNEL\Protocols and says:
===
Typically, this key contains the following subkeys:
PCT 1.0
SSL 2.0
SSL 3.0
TLS 1.0
Each key holds information about the protocol for the key. Any one of these
protocols can be disabled at the server. To do this, you create a new DWORD
value in the server subkey of the protocol. You set the DWORD value to "00 00
00 00."
===
It then gives an example, of disabling PCT1:
------------------------------------------------------------------------
HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders
\SCHANNEL\Protocols\PCT 1.0\Server
On the Edit menu, click Add Value.
In the Data Type list, click DWORD.
In the Value Name box, type Enabled, and then click OK.
------------------------------------------------------------------------
However, on my box I do NOT have a server key for SSLv2 in that branch of
the registry. I have an SSL v2 CLIENT key instead, and it already has a DWORD
named DisabledByDefault which is set to 1.
What is also interesting is that there is no protocol key for SSL v3, or
TLS, as referred to by the KB article.
According to the PCI scan by my credit card provider, SSLv2 is in fact
running. In that case, where is the server key maintained? It does not seem
to be where the KB article says.
{BTW, I am not running any credit card software on the SBS machine, but the
PCI stuff is highly neurotic, and I need to have no SSL v2 anywhere on the
network.}
Thnaks for your help,
- Pasta
Psychopasta
Certain Cryptographic Algorithms and Protocols in Schannel.dll, which says:
===
SCHANNEL\Protocols SubKey
The Protocols registry key under the SCHANNEL key is used to control the use
of protocols supported by the Schannel.dll file and to restrict the protocols
use to the TLS server or TLS client.
To prohibit the use of the protocols other than SSL 3.0 or TLS 1.0, change
the DWORD value data of the Enabled value to 0x0 in each of the following
registry keys under the Protocols key:
SCHANNEL\Protocols\PCT 1.0\Client
SCHANNEL\Protocols\PCT 1.0\Server
SCHANNEL\Protocols\SSL 2.0\Client
SCHANNEL\Protocols\SSL 2.0\Server
===
But as I said below the SSL2.0\server key does not exist. Should I just
create it and then set the DWORD? I'm a little reluctant to mess with the
registry without someone who knows more than me saying its a good idea!
Thanks again,
Cris Hanna [SBS - MVP]
--
Cris Hanna [SBS - MVP]
Co-Contributor, Windows Small Business Server 2008 Unleashed
http://www.amazon.com/Windows-Small-Business-Server-Unleashed/dp/0672329573/ref=pd_bbs_sr_1?ie=UTF8&s=books&qid=1217269967&sr=8-1
Owner, CPU Services, Belleville, IL
A Microsoft Registered Partner
------------------------------------
MVPs do not work for Microsoft
Please do not submit questions directly to me.
"Psychopasta" <Psych...@discussions.microsoft.com> wrote in message news:64A3E638-3EAD-4F54...@microsoft.com...
Susan Bradley
> One would hope that you don't have a publically facing website on your
> SBS 2008 server doing credit card processing.
>
> --
> Cris Hanna [SBS - MVP]
> Co-Contributor, Windows Small Business Server 2008 Unleashed
> http://www.amazon.com/Windows-Small-Business-Server-Unleashed/dp/0672329573/ref=pd_bbs_sr_1?ie=UTF8&s=books&qid=1217269967&sr=8-1
> <http://www.amazon.com/Windows-Small-Business-Server-Unleashed/dp/0672329573/ref=pd_bbs_sr_1?ie=UTF8&s=books&qid=1217269967&sr=8-1>
> Owner, CPU Services, Belleville, IL
> A Microsoft Registered Partner
> ------------------------------------
> MVPs do not work for Microsoft
> Please do not submit questions directly to me.
>
> "Psychopasta" <Psych...@discussions.microsoft.com
Change the ssl to v3, block v2 and nothing breaks.
Susan Bradley
Psychopasta wrote:
> Yes indeed. It is silly and pointless, but I must do it!
>
> The question is how. Please see my original two posts again. The KB articles
> from MS are not really clear on how to do this with SBS2008.
>
> - Pasta
>
>
> "Susan Bradley" wrote:
>
>> Cris Hanna [SBS - MVP] wrote:
>>> One would hope that you don't have a publically facing website on your
>>> SBS 2008 server doing credit card processing.
> ___________________________________
>> > {BTW, I am not running any credit card software on the SBS
>> machine, but the
>> > PCI stuff is highly neurotic, and I need to have no SSL v2
>> anywhere on the
>> > network.}
>
> ____________________________
Andrew Hodgson
<Psych...@discussions.microsoft.com> wrote:
>Hi Susan,
>
>Thanks. I did that. I used a 64-bit DWORD, as it seemed mopre appropriate on
>a 64-bit OS ;-)
>
>I'll let you know how the next PCI scan goes.
I was going to test some of this next month on IIS 7 for some PCI
public facing web servers that actually do process credit card data, I
have a canned .reg file which used to make the changes for me in IIS
6/W2k3, will be interesting to know if I can just use that as normal
on the 2k8 box.
Interestingly enough we don't have to make systems that don't come
into contact with credit card data PCI compliant, the SBS server would
come into this category in the organisation. However, different
accreditation bodies have different rules :).
You should reboot the box when you do this however to ensure it does
disable.
Thanks.
Andrew.
Psychopasta
I don't have time today, so I'll return to this on Monday. Any ideas before
then are most welcome!
- P
"Psychopasta" wrote:
> Hi Susan,
>
> Thanks. I did that. I used a 64-bit DWORD, as it seemed mopre appropriate on
> a 64-bit OS ;-)
>
> I'll let you know how the next PCI scan goes.
>