Disabling SSLv3

Deactivating SSLv3 on IIS

SSLv3 is an obsolete protocol, the main attack vector on which, at the time of writing, is an attack called POODLE. Disabling SSLv3 is the ultimate solution to mitigate security risks. Another option suitable for servers that critically require SSLv3 support is a signalizing TLS_FALLBACK_SCSV cipher suite that allows to keep SSLv3 enabled, but prevents downgrade attacks from higher protocols (TLSv1 =< ). Unfortunately, at the time of writing, Microsoft didn’t yet add support for TLS_FALLBACK_SCSV in SChanel. Therefore, disabling SSLv3 is the only mitigation measure a certificate administrator can apply against POODLE in case of a Windows Server.

  1. Open registry editor:

    Win + R >> regedit

  2. Navigate to:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\

    Hardening_9.jpg

  3. By default, there should be only one key presented “SSL 2.0”. We need to create a new one for SSLv3

    Right-click on Protocols >> New >> Key

    Name the key 'SSL 3.0'

    Hardening_10.jpg

  4. Right-click on SSL 3.0 >> New >> Key

    Hardening_11.jpg

    Name the key 'Server'

  5. Right-click on Server >> New >> DWORD (32-bit) Value

    Hardening_12.jpg

    Name the value 'Enabled'

  6. Double-click the Enabled value and make sure that there is zero (0) in the Value Data field >> click OK

    Hardening_13.jpg

  7. You may need to restart Windows Server to apply the changes.
Updated
Viewed
44853 times

Need help? We're always here for you.

notmyip