Mitigate SSL3 “poodle” vulnerability on Windows 7 and Windows XP RRS feed

  • Question

  • Hello,

    I work for a company that has a large user base  of employees that are remote workers. Their computer are mostly Windows 7 with a  XP systems. I’m looking for a way to disable the use of SSL 3 on the client systems due to the “Poodle” vulnerability.  Group Policy is not an option as the machines are not domain joined but are managed by Altiris.  I’ve seen some sites suggest that adding the following registry entry to the  client system can achieve  this goal:   (https://technet.microsoft.com/en-us/library/security/3009008.aspx)

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server] "Enabled"=dword:00000000

    Is this accurate?  The results of my testing are unclear on this. I was thinking I could create  script that would add this key to the registry on the client systems and deploy it with Altiris.

    Thanks for your assistance  

    Thursday, October 16, 2014 5:42 PM

All replies

  • No, that registry setting is for disabling SSL v3 on servers, not client machines. Eg it makes it so that client machines connecting to the server (for instance an IIS web server) via SSL are not able to connect using SSL 3.

    At the client side you need to disable SSL v3 in their browser settings. See https://technet.microsoft.com/en-us/library/security/3009008.aspx for full details, but in your case since you're unable to do it via GPO then in IE you'd need to do the following :

    • On the Internet Explorer Tools menu, click Internet Options.
    • In the Internet Options dialog box, click the Advanced tab.
    • In the Security category, uncheck Use SSL 3.0 and check Use TLS 1.0, Use TLS 1.1, and Use TLS 1.2 (if available).
    • Click OK.
    • Exit and restart Internet Explorer.

    and keep in mind that this is a per browser setting, so if your users also use other browsers then settings will need to be updated for each of them. Each browser company has I think released instructions for how to restrict their own browser / have plans to release new versions which don't allow SSL 3 at all.

    Thursday, October 16, 2014 8:44 PM
  • Thanks for your reply.

    This KB seems to imply that it can be done from the registry :  https://support.microsoft.com/kb/245030

    Microsoft TLS/SSL Security Provider, the Schannel.dll file, uses the CSPs that are listed here to conduct secure communications over SSL or TLS in its support for Internet Explorer and Internet Information Services (IIS). 

    These protocols can be disabled for the server or client architecture. This means the protocol can be omitted or disabled as follows:
    • The protocol can be omitted from the list of supported protocols that are included in the Client Hello when an SSL connection is started.
    • The protocol can be disabled on the server so that the server will not respond by using that protocol even if a client requests SSL 2.0.

    The client and server subkeys designate each protocol. You can disable a protocol for either the client or the server. However, disabling Ciphers, Hashes, or CipherSuites affects both client and server sides. You would have to create the necessary subkeys under the Protocols key to achieve this. For example:
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Client] 
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Server] 
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0] 
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Client] 
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Server] 
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.0] 
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.0\Client] 
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.0\Server] 
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.1] 
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.1\Client] 
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.1\Server] 
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.2] 
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.2\Client] 
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.2\Server]


    Friday, October 17, 2014 8:33 PM
  • No I don't think that's the case. As I understand it, the Client / Server being discussed there is purely referring to the server side of things, but where it mentions "client" it's talking about what the server can use when it connects elsewhere and it effectively becomes the client. For instance it mentions "To disable other protocols, select the side of the conversation for which you want to disable the protocol" which suggests to be a single server being either end of the conversation. Client OS's can also be in that situation since it is perfectly possible for you to install server apps onto a client machine, for instance IIS can be run from a desktop OS.

    That said, I wasn't certain so I've just done a test. I checked a test Windows 7 box and firstly confirmed that it is vulnerable to Poodle via www.poodletest.com. I checked the registry and discovered that none of those keys exist, only the client key for SSL v2. Since I don't know if the absence of the key prevents it, I then created the SSL v3 client key as described in that article, and then re-tested Internet Explorer and again it failed, so making the registry change had no effect. Finally, I adjusted my IE settings as described earlier to disable SSL v3 in IE and sure enough once I did that it reported that I was no longer vulnerable.

    Friday, October 17, 2014 9:15 PM
  • Making the change in the registry will require more than a restart of internet explorer. I have found that you will need to reboot the machine in order for the fix to take hold using the registry update. I have only tested this on a few machines so far and am in the process of rolling it out to more.
    Tuesday, October 21, 2014 6:36 PM
  • Thanks. Fix the issue of my Evernote Sync on Windows XP SP3

    -- philippeko

    Wednesday, December 3, 2014 9:09 AM