What is SSL 

 

Secure Sockets Layer (SSL) is a technology that encrypts data sent between a user's browser and a website or application on a server. The purpose of SSL is to secure the information preventing eavesdropping and tampering. 

 

Why disable SSLv2

 

Originally released in 1995, SSLv2 is a protocol used to encrypt data sent over the internet, ensuring that the information remains private and secure. However, being an older cypher, there has been significant opportunity to find vulnerabilities such as the Drown protocol (aka CVE-2016-0800). These Vulnerabilities allow attackers to break the encryption, gaining access to private user data.

 

Note: This protocol is disabled by default if the registry key is not present. A reboot is required for these changes to be reflected.

 

It is also important before disabling SSLv2 to ensure all machines and apps running on the server are using SSLv2 as these may no longer work correctly after SSLv2 is disabled for IIS.

 

SSLv2 vs SSLv3 vs TLS

 

SSLv3 is a newer version of SSLv2, which is more secure having patched the vulnerabilities present in SSLv2. After SSLv3, the protocol was renamed from Secure Sockets Layer (SSL) to Transport Layer Security (TLS) which is a more secure evolution of SSL. 

 

Since release, vulnerabilities have been identified in SSLv2, SSLv3, TLS 1.0 and TLS 1.1, therefore it is best to use the newer encryption protocols: TLS 1.2 or TLS 1.3

 

SSLv2 in the PCI and DSS industries 

 

In both the Payment card industry (PCI) and Data security standard (DSS) it is required that merchants handling credit card data use a strong layer of cryptography and security protocols. This includes SSL, TLS or IPSEC, however SSLv2 is no longer considered strong and must be disabled in order to meet PCI and DSS compliance standards. 

 

How to disable SSLv2 or SSLv3

 

Perform the following to disable SSL 2.0

  • Open regedit
  • Navigate to
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

    then right ciick on ‘New‘ then ‘Key

 

disable sslv2 expand hkey local machine

 

  • Create the relevant key, in this example SSL 2.0:

disable sslv2 create relevant sslv key

 

 

  • Repeat the steps to create Server and Client keys under the relevant SSL version

disable sslv2 client and server

 

 

  • For each Client\Server create the following DWORD values Enabled and DisabledByDefault:

disable sslv each client or server create the following DWORD values

 

 

Make sure that modify the DisabledByDefault value to 1:

disable sslv2 disabledbydefault value 1

 

 

DisabledByDefault Set the following Registry key to 1.

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server:DisabledByDefault

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client:DisabledByDefault

 

disable sslv2 disabledbydefault value 1 in data

 

disable sslv2 disabled by default set to 1

 

Enabled set the following Registry key to 0.

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server:Enabled
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client:Enabled

 

disable sslv2 enabled set to 0

 

*  NOTE: The same procedure can be applied to key names SSL 3.0

 

Disable SSLv2 using PowerShell:

New-Item
‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server‘ -Force | Out-Null
New-Item
‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client‘ -Force | Out-Null
New-ItemProperty -path
‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server‘ -name ‘Enabled’ -value ‘0’ -PropertyType ‘DWord’ -Force | Out-Null
New-ItemProperty -path
‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client‘ -name ‘Enabled’ -value ‘0’ -PropertyType ‘DWord’ -Force | Out-Null
New-ItemProperty -path
‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server‘ -name ‘DisabledByDefault’ -value ‘1’ -PropertyType ‘DWord’ -Force | Out-Null
New-ItemProperty -path
‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client‘ -name ‘DisabledByDefault’ -value ‘1’ -PropertyType ‘DWord’ -Force | Out-Null

 

Default value 

Enabled

 

Recommended setting

It is recommended to disable this setting. Disabling weak protocols will help ensure the confidentiality and integrity of in-transit data.

 

Ensuring a strong security posture 

 

Disabling the SSLv2 security setting is crucial for maintaining a strong security posture. It is important to regularly update security settings to ensure that a system is protected against new threats and keeps up with the latest security standards. Server hardening mitigates these risks by automatically reinforcing security, keeping all settings up to date and in line with security standards. 

You might be interested