How to protect your Windows server from POODLE SSLv3 vulnerability
In the last publication about the POODLE vulnerability, I lost sight of the servers running on Windows OS, concentrating on unix software.
But judging by the statistics of the popularity of web servers, Microsoft-IIS occupies 13.5%, and the third place in the top three, leaving far behind all other web servers.
And in the comments nobody paid attention to the annoying omission and I correct this article.
Information is relevant for Windows Server 2008 and IIS 7.5.
UPD : Habrayuzer Ivan_83 previously reviewed more widely in his article aspects of improving security on Windows 7, which also applies to other versions of Windows.
')
All changes will be made in the registry, so the first thing to do is to back it up:
start registry editor regedit -> File -> Export
After the backup is done, let's proceed directly to making changes to the registry to disable SSLv2 and enable TLS.
Disable SSLv2 / SSLv3
In the registry editor, go to HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SecurityProviders \ SCHANNEL \ Protocols \ SSL 2.0 \ Server
If the Server section is missing, you must create it.
Then create a DWORD parameter (32 bits) with the name “Enabled” and the value 0
Repeat the same for the Client section.
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SecurityProviders \ SCHANNEL \ Protocols \ SSL 2.0 \ Client
To disable SSLv3, repeat the procedure for the SSL 3.0 section.
Enable TLS
The inclusion of the TLS encryption algorithm follows a similar scenario.
Using the regedit registry editor, go to HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SecurityProviders \ SCHANNEL \ Protocols
And create a partition TLS 1.1 and within it subsections Client and Server
Just as with SSLv2 disabled, create two DWORD parameters (32 bits): with the name “Enabled” and value 1; and with the name DisabledByDefault and value 0.
After all the changes you have made, restart the server.
As a bonus for those who read up to this place:
For IIS, there is a free tool called IISCrypto, which you can take from the link: https://www.nartac.com/Products/IISCrypto/Default.aspx
The application runs under Windows Server 2003, 2008 and 2012 and allows you to enable or disable any of the encryption protocols in two clicks. And also check the remote web server.
For convenience, even prepared templates. With which you can use presets for various security settings.
But judging by the statistics of the popularity of web servers, Microsoft-IIS occupies 13.5%, and the third place in the top three, leaving far behind all other web servers.
And in the comments nobody paid attention to the annoying omission and I correct this article.
Information is relevant for Windows Server 2008 and IIS 7.5.
UPD : Habrayuzer Ivan_83 previously reviewed more widely in his article aspects of improving security on Windows 7, which also applies to other versions of Windows.
')
All changes will be made in the registry, so the first thing to do is to back it up:
start registry editor regedit -> File -> Export
After the backup is done, let's proceed directly to making changes to the registry to disable SSLv2 and enable TLS.
Disable SSLv2 / SSLv3
In the registry editor, go to HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SecurityProviders \ SCHANNEL \ Protocols \ SSL 2.0 \ Server
If the Server section is missing, you must create it.
Then create a DWORD parameter (32 bits) with the name “Enabled” and the value 0
Repeat the same for the Client section.
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SecurityProviders \ SCHANNEL \ Protocols \ SSL 2.0 \ Client
To disable SSLv3, repeat the procedure for the SSL 3.0 section.
Enable TLS
The inclusion of the TLS encryption algorithm follows a similar scenario.
Using the regedit registry editor, go to HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ SecurityProviders \ SCHANNEL \ Protocols
And create a partition TLS 1.1 and within it subsections Client and Server
Just as with SSLv2 disabled, create two DWORD parameters (32 bits): with the name “Enabled” and value 1; and with the name DisabledByDefault and value 0.
After all the changes you have made, restart the server.
As a bonus for those who read up to this place:
For IIS, there is a free tool called IISCrypto, which you can take from the link: https://www.nartac.com/Products/IISCrypto/Default.aspx
The application runs under Windows Server 2003, 2008 and 2012 and allows you to enable or disable any of the encryption protocols in two clicks. And also check the remote web server.
For convenience, even prepared templates. With which you can use presets for various security settings.
Source: https://habr.com/ru/post/242493/
All Articles