System HardeningWindows

Disabling Support SSLv3 & TLSv1.0 Server2012

Fixing The Issues Natively

During both internal and external testing engagements, it’s not uncommon to find a multitude of SSL/TLS issues within the environment.  It’s also not uncommon to find these issues still exist upon a retest.

Granted, SSL/TLS issues aren’t necessarily ones that require urgent action, but they do need solving.

Fixing such issues are relatively simple and only require a few simple changes to the registry. In this post, I’m going to walk through disabling support for SSLv3 and TLSv1.0 in a step-by-step process. I’ve also made a video about how to remediate this finding this on YouTube.

Removing support for other TLS issues (RC4, Triple DES and Diffie-Hellman) can be found in my other post here.

Disabling SSLv3 & TLSv1.0

SSLv3 & TLS v1.0 supported

If your business includes taking card payments from customers, then you will likely be aware that support for TLS v1.0 will be depreciated by the Payment Card Industry (PCI) and of June 2018 – More details on this here.

This is the first SSL/TLS issue we’re going to resolve. As previously mentioned, all of this is done in the Registry Editor. Start the Registry Editor and locate the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

Within the ‘SCHANNEL’ key, you will notice a subkey named ‘Protocols’.

Right click on ‘Protocols’ and select new > key. Call this key ‘SSL 3.0’.

Repeat this process, calling the second key ‘TLS 1.0’. As pictured below.

Subkeys ‘SSL 3.0’ and ‘TLS 1.0’ added

Within both the SSL 3.0 and TLS 1.0 subkeys, two further keys have been created. One named ‘Client’ and one named ‘Server’. Right click on ‘Client’ and  select new > DWORD.

Creating a new DWORD

Call this DWORD ‘DisabledByDefault’ and assign it the value of ‘1’.

How it should now look

Now right click on the key named ‘Server’. Create a new DWORD called ‘Enabled’ and set it a value of ‘0’. As pictured below.

Creating a new DWORD in ‘Server’

Apply these changes to both the SSLv3.0 and TLS v1.0 subkeys. For the changes to take effect, you now need to restart the server. When we run another scan against the host, you can now see that the server no longer supports SSLv3, or TLS v1.0.

SSLv3 and TLS v1.0 no longer supported and removed from the finding results