What is SSL
Secure Sockets Layer (SSL) is a technology that encrypts data sent between a user's browser and a website or application on a server. The purpose of SSL is to secure the information preventing eavesdropping and tampering.
Why disable SSLv2
Originally released in 1995, SSLv2 is a protocol used to encrypt data sent over the internet, ensuring that the information remains private and secure. However, being an older cypher, there has been significant opportunity to find vulnerabilities such as the Drown protocol (aka CVE-2016-0800). These Vulnerabilities allow attackers to break the encryption, gaining access to private user data.
Note: This protocol is disabled by default if the registry key is not present. A reboot is required for these changes to be reflected.
It is also important before disabling SSLv2 to ensure all machines and apps running on the server are using SSLv2 as these may no longer work correctly after SSLv2 is disabled for IIS.
SSLv2 vs SSLv3 vs TLS
SSLv3 is a newer version of SSLv2, which is more secure having patched the vulnerabilities present in SSLv2. After SSLv3, the protocol was renamed from Secure Sockets Layer (SSL) to Transport Layer Security (TLS) which is a more secure evolution of SSL.
Since release, vulnerabilities have been identified in SSLv2, SSLv3, TLS 1.0 and TLS 1.1, therefore it is best to use the newer encryption protocols: TLS 1.2 or TLS 1.3.
SSLv2 in the PCI and DSS industries
In both the Payment card industry (PCI) and Data security standard (DSS) it is required that merchants handling credit card data use a strong layer of cryptography and security protocols. This includes SSL, TLS or IPSEC, however SSLv2 is no longer considered strong and must be disabled in order to meet PCI and DSS compliance standards.
How to disable SSLv2 or SSLv3
Perform the following to disable SSL 2.0
- Open regedit
- Navigate to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols then right ciick on ‘New‘ then ‘Key‘
- Create the relevant key, in this example SSL 2.0:
- Repeat the steps to create Server and Client keys under the relevant SSL version
- For each Client\Server create the following DWORD values Enabled and DisabledByDefault:
Make sure that modify the DisabledByDefault value to 1:
DisabledByDefault Set the following Registry key to 1.
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server:DisabledByDefault
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client:DisabledByDefault |
Enabled set the following Registry key to 0.
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server:Enabled HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client:Enabled |
* NOTE: The same procedure can be applied to key names SSL 3.0
Disable SSLv2 using PowerShell:
New-Item ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server‘ -Force | Out-Null New-Item ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client‘ -Force | Out-Null New-ItemProperty -path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server‘ -name ‘Enabled’ -value ‘0’ -PropertyType ‘DWord’ -Force | Out-Null New-ItemProperty -path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client‘ -name ‘Enabled’ -value ‘0’ -PropertyType ‘DWord’ -Force | Out-Null New-ItemProperty -path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server‘ -name ‘DisabledByDefault’ -value ‘1’ -PropertyType ‘DWord’ -Force | Out-Null New-ItemProperty -path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client‘ -name ‘DisabledByDefault’ -value ‘1’ -PropertyType ‘DWord’ -Force | Out-Null |
Default value
Enabled
Recommended setting
It is recommended to disable this setting. Disabling weak protocols will help ensure the confidentiality and integrity of in-transit data.
Ensuring a strong security posture
Disabling the SSLv2 security setting is crucial for maintaining a strong security posture. It is important to regularly update security settings to ensure that a system is protected against new threats and keeps up with the latest security standards. Server hardening mitigates these risks by automatically reinforcing security, keeping all settings up to date and in line with security standards.