Disable SSLv2: When older is not better

What is SSL 

Secure Sockets Layer (SSL) is a technology that encrypts data sent between a user's browser and a website or application on a server. The purpose of SSL is to secure the information preventing eavesdropping and tampering. 

Why disable SSLv2

Originally released in 1995, SSLv2 is a protocol used to encrypt data sent over the internet, ensuring that the information remains private and secure. However, being an older cypher, there has been significant opportunity to find vulnerabilities such as the Drown protocol (aka CVE-2016-0800). These Vulnerabilities allow attackers to break the encryption, gaining access to private user data.

Note: This protocol is disabled by default if the registry key is not present. A reboot is required for these changes to be reflected.

It is also important before disabling SSLv2 to ensure all machines and apps running on the server are using SSLv2 as these may no longer work correctly after SSLv2 is disabled for IIS.

SSLv2 vs SSLv3 vs TLS

SSLv3 is a newer version of SSLv2, which is more secure having patched the vulnerabilities present in SSLv2. After SSLv3, the protocol was renamed from Secure Sockets Layer (SSL) to Transport Layer Security (TLS) which is a more secure evolution of SSL. 

Since release, vulnerabilities have been identified in SSLv2, SSLv3, TLS 1.0 and TLS 1.1, therefore it is best to use the newer encryption protocols: TLS 1.2 or TLS 1.3. 

SSLv2 in the PCI and DSS industries 

In both the Payment card industry (PCI) and Data security standard (DSS) it is required that merchants handling credit card data use a strong layer of cryptography and security protocols. This includes SSL, TLS or IPSEC, however SSLv2 is no longer considered strong and must be disabled in order to meet PCI and DSS compliance standards. 

How to disable SSLv2 or SSLv3

Perform the following to disable SSL 2.0

• Open regedit
• Navigate to
  

  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

  then right ciick on ‘New‘ then ‘Key‘

• Create the relevant key, in this example SSL 2.0:

• Repeat the steps to create Server and Client keys under the relevant SSL version

• For each Client\Server create the following DWORD values Enabled and DisabledByDefault:

Make sure that modify the DisabledByDefault value to 1:

DisabledByDefault Set the following Registry key to 1.

Enabled set the following Registry key to 0.

*  NOTE: The same procedure can be applied to key names SSL 3.0

Disable SSLv2 using PowerShell:

Default value 

Enabled

Recommended setting

It is recommended to disable this setting. Disabling weak protocols will help ensure the confidentiality and integrity of in-transit data.

Ensuring a strong security posture 

Disabling the SSLv2 security setting is crucial for maintaining a strong security posture. It is important to regularly update security settings to ensure that a system is protected against new threats and keeps up with the latest security standards. Server hardening mitigates these risks by automatically reinforcing security, keeping all settings up to date and in line with security standards.