How To Disable Sslv3 In Windows 2008

winserver

Every bit most everyone has heard SSL two.0 has been compromised. Most PCI certification regime are requiring SSL two.0 to be disabled. I am sure with poodle SSL 3.0 is non far behind but that is for another article.

I have written the following batch file to make all the needed changes and save some legwork.

REG Add together "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL ii.0\Server" /v Enabled /t REG_DWORD /d 0 /f   REG Add together "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL two.0\Client" /v Enabled /t REG_DWORD /d 0 /f   REG Add "HKLM\Arrangement\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 3.0\Server" /v Enabled /t REG_DWORD /d ane /f   REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 3.0\Customer" /v Enabled /t REG_DWORD /d 1 /f   REG ADD "HKLM\Organisation\CurrentControlSet\Command\SecurityProviders\SChannel\Protocols\TLS i.0\Server" /v Enabled /t REG_DWORD /d 1 /f   REG ADD "HKLM\Arrangement\CurrentControlSet\Command\SecurityProviders\SChannel\Protocols\TLS ane.0\Client" /v Enabled /t REG_DWORD /d 1 /f

Just copy and past the code into a text editor such as notepad and save the file as a .cmd and run as ambassador. reboot your server and you are all prepare to become.

At present for all you lot folks who like to do things the old fashioned way hither is the documentation to do it manually using regedit.
regedit can exist opened with "first", "run", regedit

one time there, find this entry:

HKey_Local_Machine\Organization\CurrentControlSet\Command\SecurityProviders\SCHANNEL\Protocols\SSL 2.0

Right-click on the SSL 2.0 folder and select New so click Fundamental. Name the new folder Server.

Within the Server folder, click the Edit bill of fare, select New, and click DWORD (32-bit) Value.

Enter Enabled as the name and hit Enter.

Ensure that it shows 0x00000000 (0) under the Data column (it should by default). If it doesn't, right-click and select Modify and enter 0 as the Value data.

regedit can be opened with "start", "run", regedit

once there, detect this entry:

HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0

Right-click on the SSL 3.0 binder and select New and and then click Key. Name the new folder Server.

Inside the Server folder, click the Edit bill of fare, select New, and click DWORD (32-bit) Value.

Enter Enabled as the proper name and hit Enter.

right-click and select Modify and enter ane every bit the Value data.

regedit can be opened with "start", "run", regedit

once there, find this entry:

HKey_Local_Machine\Arrangement\CurrentControlSet\Command\SecurityProviders\SCHANNEL\Protocols\TLS 1.0

Right-click on the TLS one.0 folder and select New and then click Key. Proper noun the new folder Server.

Inside the Server folder, click the Edit menu, select New, and click DWORD (32-chip) Value.

Enter Enabled as the name and striking Enter.

right-click and select Change and enter 1 every bit the Value data.

Restart the computer.

Now we need to test an make sure our piece of work was successful. yous can accomplish this a coule of different means. I personally use the piece of cake manner of going to the post-obit website and entering my web servers accost.

https://foundeo.com/products/iis-weak-ssl-ciphers/test.cfm

if all is successful you should see that ssl2.0 is disabled and ssl three.0 and tls 2.0 are enabled.

Source: https://www.mcgearytech.com/how-to-disable-ssl-2-0-sslv2-enable-ssl-3-0-server-2008-sbs-2008sbs2011/

Posted by: tateworactagoine.blogspot.com