⬆️ ⬇️

How to protect your Windows server from POODLE SSLv3 vulnerability

In the last publication about the POODLE vulnerability, I lost sight of the servers running on Windows OS, concentrating on unix software.

But judging by the statistics of the popularity of web servers, Microsoft-IIS occupies 13.5%, and the third place in the top three, leaving far behind all other web servers.







And in the comments nobody paid attention to the annoying omission and I correct this article.

Information is relevant for Windows Server 2008 and IIS 7.5.



UPD : Habrayuzer Ivan_83 previously reviewed more widely in his article aspects of improving security on Windows 7, which also applies to other versions of Windows.

')

All changes will be made in the registry, so the first thing to do is to back it up:

start registry editor regedit -> File -> Export



After the backup is done, let's proceed directly to making changes to the registry to disable SSLv2 and enable TLS.



Disable SSLv2 / SSLv3

In the registry editor, go to HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SecurityProviders \ SCHANNEL \ Protocols \ SSL 2.0 \ Server

If the Server section is missing, you must create it.

Then create a DWORD parameter (32 bits) with the name “Enabled” and the value 0







Repeat the same for the Client section.

HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SecurityProviders \ SCHANNEL \ Protocols \ SSL 2.0 \ Client



To disable SSLv3, repeat the procedure for the SSL 3.0 section.



Enable TLS

The inclusion of the TLS encryption algorithm follows a similar scenario.

Using the regedit registry editor, go to HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SecurityProviders \ SCHANNEL \ Protocols

And create a partition TLS 1.1 and within it subsections Client and Server

Just as with SSLv2 disabled, create two DWORD parameters (32 bits): with the name “Enabled” and value 1; and with the name DisabledByDefault and value 0.





After all the changes you have made, restart the server.



As a bonus for those who read up to this place:

For IIS, there is a free tool called IISCrypto, which you can take from the link: https://www.nartac.com/Products/IISCrypto/Default.aspx

The application runs under Windows Server 2003, 2008 and 2012 and allows you to enable or disable any of the encryption protocols in two clicks. And also check the remote web server.

For convenience, even prepared templates. With which you can use presets for various security settings.



Source: https://habr.com/ru/post/242493/



All Articles