locked
Is it possible to disable SSLv2 on a Windows 2008 domain controller so that secure LDAP communication is forced to use SSLv3 or TLSv1? RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote
    Recently, my organization's security team ran a vulnerability scan of the network which reported that one of my domain controllers supported connecting on LDAP ports 636 and 3269 using SSLv2.  Unfortunately, SSL 2.0 is less secure than SSLv3 and TLSv1, so I am investigating whether turning off support for this security option is possible and realistic...my concerns are: one, I am dealing with a domain controller; and two, many custom and vendor applications across my enterprise perform LDAP queries against this box.

    In my quest to answer this question, I have searched the Internet many times for any information concerning DC's and disabling SSLv2, but to no avail.  Although, I did find articles related to disabling SSLv2 in IIS; however, the articles mention creating a DWORD in the SSLv2 “Server” registry key, yet I noticed on my DC that it did not contain the SSLv2 "server" registry key, only the SSLv2 "client" registry key.

    So to recap:  (1) Is it possible to disable SSLv2 on a DC so that secure LDAP communication is forced to use SSLv3 or TLSv1?  (2) Are there any negative repercussions making this configuration change on a DC?  (3) How do I go about making this change on my DC?

    I appreciate your help.

    Thursday, May 14, 2009 12:05 AM

Answers

  • Question
    Sign in to vote
    4
    Sign in to vote

    Hi,

     

    To disable SSLv2 on Windows Server 2008, please follow these steps:

     

    1.    Create a key named Server under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0 in the registry

    2.    Under the registry Key Sever, create a DWORD value named Enabled and change the value data to 0x0.

     

    For more information:

     

    How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dll

    http://support.microsoft.com/default.aspx?scid=kb;EN-US;245030

     

    • Marked as answer by Joson Zhou Friday, May 22, 2009 7:33 AM
    Wednesday, May 20, 2009 7:16 AM

All replies

  • Question
    Sign in to vote
    4
    Sign in to vote

    Hi,

     

    To disable SSLv2 on Windows Server 2008, please follow these steps:

     

    1.    Create a key named Server under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0 in the registry

    2.    Under the registry Key Sever, create a DWORD value named Enabled and change the value data to 0x0.

     

    For more information:

     

    How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dll

    http://support.microsoft.com/default.aspx?scid=kb;EN-US;245030

     

    • Marked as answer by Joson Zhou Friday, May 22, 2009 7:33 AM
    Wednesday, May 20, 2009 7:16 AM
  • Question
    Sign in to vote
    3
    Sign in to vote
    I opened a case with Microsoft on this topic since I wasn't getting any replies to my forum question (until Joson responded).  And, Joson is right-on with his answer.  Below is the problem resolution from MS premier support:

    Resolution:

    Please find below the answers to the questions you had.

    1. Is it possible to disable SSLv2 on a DC so that secure LDAP communication is forced to use SSLv3 or TLSv1?
    Yes it is possible to disable SSLv2 on a DC. Please find below the registry changes that has to be done on the DC to disable it,
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
    "Enabled"=dword:00000000
    If the above registry key does not exist please create and reboot the server for the registry key to come into effect.
    Refer Article: How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dll : http://support.microsoft.com/kb/245030/en-us

    2. Are there any negative repercussions making this configuration change on a DC?
    If there are any applications that connect to the DC using SSL v2.0 then it would fail to connect. So as long as there are no applications using SSL v2.0 there should not be an issue.
    From the OS perspective there are not component that requires on SSL v2.0.

    3. How do I go about making this change on my DC?
    Refer answer to question 1.

    Follow-up Question:
    I read your resolution. I am familiar with the documents you provided. My Domain Controller does not have the registry key for SSL 2.0/server; so does this mean that I have to create the key?

    Follow-up Answer:
    If you do not have that registry key please create it. 

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]

    ...then add the DWORD below and reboot.

    "Enabled"=dword:00000000

    P.S.
    One final note concerning this issue.  Since I have third-party applications running in my enterprise using SSL communication with this DC, before I can disable SSLv2, I need to analyze network traffic to see if there are any packets using SSLv2.  For this effort, I am using Microsoft Network Monitor 3.3 and have found that it identifies SSL packets and their versions right out-of-the-box.
    • Proposed as answer by Tariq Jaber Tuesday, May 22, 2012 7:07 AM
    Thursday, May 28, 2009 11:23 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Does adding this Dword require a reboot?  I added the registry value but Scan Alert still says that SSLv2 is active on my server.
    Scott Lee
    Thursday, February 4, 2010 3:13 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Does adding this Dword require a reboot?  I added the registry value but Scan Alert still says that SSLv2 is active on my server.
    Scott Lee


    Read the prior staement and you'll see "...then add the DWORD below and reboot.", so:
    Yes, it does require a reboot to be applied!

    Computer am Arbeitsplatz per WakeOnLAN (WOL) über den EBS und SBS Remote-Webarbeitsplatz (RWW) einschalten: http://WOL4RWW.de Jetzt auch für den SBS 2008 RWW!!
    Monday, May 10, 2010 11:37 AM
  • Question
    Sign in to vote
    5
    Sign in to vote

    I do external port scanning for security purposes and even when I followed this route the external port scanning still reported SSL2 was in use (Windows Server 2008 r2 64 bit) even after a reboot.

    In the end I had to specify the ciphers etc to get it to exclude, these are the registry keys I had to create:

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Ciphers]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Ciphers\RC2 128/128]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Ciphers\RC4 128/128]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Ciphers\Triple DES 168/168]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Client]
    "DisabledByDefault"=dword:00000001
    "Enabled"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Server]
    "Enabled"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Client]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Server]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.0]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.0\Client]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.0\Server]
    "Enabled"=dword:00000001

     

    Which includes the enabled=0 entry for SSL2 but didn't seem to pick this up until I had entered the necessary details for the ones I did want to use, not sure if it was just me but the above definately worked.

     

    • Proposed as answer by Ade Jones Tuesday, March 1, 2011 8:51 AM
    Friday, August 13, 2010 2:07 PM
  • Question
    Sign in to vote
    2
    Sign in to vote

    In an effort to consolidate the great troubleshooting solutions offered in this thread, we have summarized the information contained here into a Technet Wiki article at the following location:

    Please feel free to provide feedback on the article at the Wiki site, or you can edit the article itself.

    Thanks,

    Davanand Bahall - MSFT

    Friday, February 11, 2011 12:09 AM
  • Question
    Sign in to vote
    1
    Sign in to vote

    Nick Lowther's answer worked for me on Windows Server 2008 standard.

    I was short of time after reading many less complete answers to this so I added "DisabledByDefault"=dword:00000001 to the SSL2.0\Server key. Not sure if this was necessary but I was in belt-n-braces mode. 

    Tuesday, March 1, 2011 8:50 AM