Audit and disable SSLv2 connections on your domain controllers

Envoyer Imprimer PDF

SSLv2 is considered as a weak cipher since a long time now but it still enabled by default on your domain controllers.

To disable it, you just have to set the following registry key value (http://support2.microsoft.com/default.aspx?scid=kb;EN-US;245030) :

  • Path : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server
  • Name : Enabled
  • Type : REG_DWORD
  • Data : 0

 

But, before you disable this cipher, you have to be sure that it’s not used anymore … The best way to do the job, is to activate the verbose of the SCHANNEL.

Set the following registry key :

  • Path : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\EventLogging
  • Name : EventLogging
  • Type : REG_DWORD
  • Data : 4

 

When it’s done, you should received some new events in your System log, with source « Schannel » and event Id « 36880 ».

The message contains the type of cipher used.

In this first example, TLS 1.0 is used.

 

In this second example, SSL 2.0 is used.

 

You just have to audit during a few days the cipher activities on your domain controller then disable the cipher and the schannel verbose mode.

Mise à jour le Dimanche, 05 Octobre 2014 21:12