How to configure Microsoft IIS to not accept SSLv2 connections

Had this pop up on a PCI scan on one of the windows servers I look after with a plesk control panel. The report was moaning about SSLv2 being enabled, below is the actual report

This SSL service supports SSLv2 connections. SSLv2 has known cryptographic weaknesses that can lead to the compromise of data encrypted during the SSL session. Secure web applications should only enable SSLv3, TLSv1, or newer. SSLv3 was released in 1996 with numerous security enhancements over SSLv2. TLSv1 was introduced in 1999 as an enhancement to the security features of SSLv3. All modern browsers have support for both SSLv3 and TLSv1, and often disable support for SSLv2 in the interests of security. The PCI ASV Operational Requirements requires that if SSLv2 is used in the transmission of cardholder data, this must result in a failure. This was clarified in the PCI "Assessor Update: November 2008"

Service: (443) Microsoft-IIS/6.0
Evidence: Cipher: DES-CBC-MD5

This has been tested on a windows 2003 server.

For a quick overview you need to edit the registry and add a couple of “dword” values

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
“Enabled“=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
“Enabled“=dword:00000000

This will disable PCT 1.0 and SSL 2.0 forcing all connections to use SSLv3

This Microsoft article explains in depth on what you need to do if you are nto sure how to edit the registry LINK

2003, IIS, PCI, SSL, SSLv2, SSLv3, Windows

//-->

Print article

This entry was posted by PB on June 30, 2010 at 14:41, and is filed under PCI. Follow any responses to this post through RSS 2.0. You can leave a response or trackback from your own site.

Related Posts
Comments (0)

No comments yet.

No trackbacks yet.

Backing up Putty Config

about 8 months ago - No comments

Ever wanted to backup your Putty settings, either because you are changing machine or you have spent such a long time configuring the multiple custom options in Putty you don’t want to ever lose all that work. Unfortunately Putty does not have an export option so we have to go back to basics and export More >

Why can’t you create a folder named CON in Windows

about 1 year ago - No comments

In all versions of Windows up to and including Windows 7 you will recieve “The specified device name is invalid.” when you try and create a folder called con. con along with the words listed below are described as reserved words. In MS-DOS, several special “device files” were available to aid in performing certain tasks, More >

File download in i.e. over https

about 1 year ago - No comments

Came across a strange issue only effecting I.E. if I try and download a .csv file over SSL (https) I kept getting the following message: All other browsers (Firefox, safari, …) all work fine. After doing a little digging there are a couple of registry keys you can change to fix the issue. This fix More >

Parent Paths in IIS 7

about 1 year ago - No comments

Classic ASP Parent Paths let developers use relative addresses that contain ".." in the paths to files or folders. The following example illustrates an ASP page that references an included file in a folder that uses a parent path:  By default in IIS 6.0 + parent paths are disabled, as far as More >

Windows Server 2008 R2 – Core Comparisons

about 1 year ago - No comments

What are 2008 R2 Server core’s The Server Core installation option is a new option that you can use for installing Windows Server 2008. A Server Core installation provides a minimal environment for running specific server roles, which reduces the maintenance and management requirements and the attack surface for those server roles. The Server Core More >

Upgrading PHP on a windows plesk server

about 1 year ago - No comments

PHP comes pre-installed along with Plesk on a windows server, and by default, PHP only gets upgraded as new versions of Plesk are released. Unfortunately the release cycle of the Plesk Control Panel does not keep pace with that of PHP, so the result is that VPS / VDS Containers are often running versions of More >

Upgrading BIND on a plesk windows server

about 1 year ago - 1 comment

If you want to manually upgrade the version of BIND running on your plesk windows server then follow the following steps: Check what version of bind you are currently running by going to the Components Management in plesk, you should see something like the following: Go to LINK and download desirable version of BIND for More >

How to determine the current release level of Jet 4.0

about 1 year ago - No comments

To determine the Jet 4.0 release level that is currently installed on your computer, follow these steps. Note Because there are several versions of Microsoft Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps. Click Start, and then click Search. In the Search More >

adsiisex.dll missing when installing SMTP

about 1 year ago - No comments

Issue When trying to install SMTP service on windows 2003 server I was asked for adsiisex.dll during the install, I pointed the installer at the i386 directory and it still could not find adsiisex.dll adsiisex.dll (ADSI Extension) is a component from the software Internet Information Services version 6.0.1830 by Microsoft Corporation. Solution Once you start More >

PCI Scan – Plesk PHP easter egg issue

about 1 year ago - 1 comment

PCI Scan – Plesk PHP easter egg issue If your PCI scan reports the following: Port: 8443 Synops is: The configuration of PHP on the remote host allows disclosure of sensitive information. Description: The PHP install on the remote server is configured in a way that allows discloure of potentially sensitive information to an attacker More >

How to configure Microsoft IIS to not accept SSLv2 connections

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
“Enabled“=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
“Enabled“=dword:00000000

Related Posts

No comments yet.

No trackbacks yet.

Backing up Putty Config

Why can’t you create a folder named CON in Windows

File download in i.e. over https

Parent Paths in IIS 7

Windows Server 2008 R2 – Core Comparisons

Upgrading PHP on a windows plesk server

Upgrading BIND on a plesk windows server

How to determine the current release level of Jet 4.0

adsiisex.dll missing when installing SMTP

PCI Scan – Plesk PHP easter egg issue

Search

Links

Tag Cloud

Categories

Password Generator

Popular Posts

My Sites

Friends Sites

How to configure Microsoft IIS to not accept SSLv2 connections

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server] “Enabled“=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server] “Enabled“=dword:00000000

Related Posts

No comments yet.

No trackbacks yet.

Search

Links

Tag Cloud

Categories

Password Generator

Popular Posts

My Sites

Friends Sites

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
“Enabled“=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
“Enabled“=dword:00000000