53

How do I patch CVE­-2014­-3566 on a Windows Server 2012 system running IIS?

Is there a patch in Windows Update, or do I have to do a registry change to disable SSL 3.0?

Eric Lathrop
  • 673
  • 1
  • 5
  • 9
  • 1
    There is a **Microsoft Fix it 50495** on the MS KB page you linked to. – MattBianco Oct 16 '14 at 07:59
  • 3
    I tried running Fix it 50495 on Windows 2008, and it failed with error "This Microsoft Fix it does not apply to your operating system or application version." Oh well. – Josh Oct 20 '14 at 15:34

8 Answers8

58

There is no "patch". It's a vulnerability in the protocol, not a bug in the implementation.

In Windows Server 2003 to 2012 R2 the SSL / TLS protocols are controlled by flags in the registry set at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols.

To disable SSLv3, which the POODLE vulnerability is concerned with, create a subkey at the above location (if it's not already present) named SSL 3.0 and, under that, a subkey named Server (if it's not already present). At this location (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Server) create a DWORD value named Enabled and leave it set at 0.

Disabling SSL 2.0, which you should also be doing, is done the same way, except that you'll be using a key named SSL 2.0 in the above registry path.

I haven't tested all versions, but I think it's probably safe to assume that a reboot is necessary for this change to take effect.

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
  • 3
    reboot not necessary on Windows Server 2012 at least. you can verify before and after at http://poodlebleed.com/ by entering your URL and 443 for SSL port – Simon Oct 31 '14 at 00:49
  • Thanks, Do you know if I should disable PCT as well since its allegedly disabled by default and yet not disabled in this way ? – Mark Broadhurst Nov 04 '14 at 11:52
  • @Simon, is there something else you have to do to get the changes to take effect? I just made the registry updates on a Server 2012 machine, but it's still getting reported that SSL3 is enabled. – Abe Miessler Dec 18 '14 at 17:37
  • I don't believe so. I'm assuming you're using iis and my Apache and you checked usjng that website. And you're sure you have the exact right registry key? – Simon Dec 18 '14 at 17:39
  • * NOT apache (I don't know where 'my Apache' came from!) – Simon Dec 20 '14 at 01:08
24

Just for ease of installation I derived this "disable ssl 2 and 3.reg" file from Evan's answer above:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000
Eric Lathrop
  • 673
  • 1
  • 5
  • 9
12

Powershell to disable SSL2 and SSL3:

2..3 | %{ New-ItemProperty -Path "HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL $_.0\Server" -Name Enabled -PropertyType "DWORD" -Value 0 -Force }
Vasili Syrakis
  • 4,435
  • 3
  • 21
  • 29
  • Unfortunately the above only works if the registry subkeys are already present. Would be nice to see PS that can create them if not exists or update them if they do. – Jaans Oct 19 '14 at 23:50
  • Are you sure? Mine creates them for me. It might differ on lower versions of Powershell and Windows (I'm using v2 on Server 2008 R2) – Vasili Syrakis Oct 19 '14 at 23:51
  • 2
    Yup... see screenshot uploaded to: http://i.imgur.com/rctFH4D.png Using PS 3.0 and WSMan 3.0. – Jaans Oct 19 '14 at 23:54
9

There is a free utility from Nartac that you can use to disable the protocols.

https://www.nartac.com/Products/IISCrypto/Default.aspx

DrundoSoft
  • 99
  • 1
8

Here's a PowerShell that will test for the presence of the registry keys, create them if needed, and then enter the necessary values to disable SSL 2.0 and SSL 3.0

$regPath1 = 'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0'
$regPath2 = 'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Server'
$regPath3 = 'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0'
$regPath4 = 'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Server'


If(!(Test-Path -Path $regPath1))
{
New-Item -Path $regPath1 -Force
}

If(!(Test-Path $regPath2))
{
New-Item -Path $regPath2 -Force
}
   New-ItemProperty -Path $regPath2 -Name DisabledByDefault -PropertyType DWORD -Value "1" -Force
   New-ItemProperty -Path $regPath2 -Name Enabled -PropertyType DWORD -Value "0" -Force 

If(!(Test-Path $regPath3))
{
New-Item -Path $regPath3 -Force
}

If(!(Test-Path $regPath4))
{
New-Item -Path $regPath4 -Force
}
   New-ItemProperty -Path $regPath4 -Name DisabledByDefault -PropertyType DWORD -Value "1" -Force
   New-ItemProperty -Path $regPath4 -Name Enabled -PropertyType DWORD -Value "0" -Force

This can be deployed using SCCM or command line - just be sure to run the SCCM job or command line as Administrator. Some websites with the registry information indicate that a reboot is required after the registry keys are created and/or modified.

Kazi
  • 81
  • 2
4

Or grab a copy of IISCrypto and click the best practices button, then uncheck SSL 3.0 and then apply, then reboot

Tom
  • 41
  • 1
3

You don't have to disable SSL3. You can enable SSL3 and have POODLE mitigated.

# Copy and paste this in PowerShell then restart your server
$cipherSuitesOrder = @(
    'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256',
    'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384',
    'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256',
    'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384',
    'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256',
    'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384',
    'TLS_RSA_WITH_AES_128_CBC_SHA256',
    'TLS_RSA_WITH_AES_128_CBC_SHA',
    'TLS_RSA_WITH_AES_256_CBC_SHA256',
    'TLS_RSA_WITH_AES_256_CBC_SHA',
    'TLS_RSA_WITH_RC4_128_SHA',
    'TLS_RSA_WITH_3DES_EDE_CBC_SHA',
    'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256',
    'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256',
    'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384',
    'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384',
    'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256',
    'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384',
    'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256',
    'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384'
)
$cipherSuitesAsString = [string]::join(',', $cipherSuitesOrder)
New-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002' \
-name 'Functions' -value $cipherSuitesAsString -PropertyType 'String' -Force | Out-Null

With these settings you would still have IE6 support (with SSLv3 using RC4) and have a more than acceptable configuration security wise. Only IE6 and really old client would be using SSLv3 or RC4 ciphers.

3

There's a good PowerShell script that helps with IIS 7.5 & 8 configuration:

This PowerShell script setups your Microsoft Internet Information Server 7.5 and 8.0 (IIS) to support TLS 1.1 and TLS 1.2 protocol with Forward secrecy. Additionally it increases security of your SSL connections by disabling insecure SSL2 and SSL3 and and all insecure and weak ciphers that a browser may fall-back, too. This script implements the current best practice rules.

https://www.hass.de/content/setup-your-iis-ssl-perfect-forward-secrecy-and-tls-12

David Thomas
  • 380
  • 2
  • 8
  • Hmm, not sure why this was down voted. I used that utility myself and it works perfectly. – David Thomas May 28 '15 at 07:18
  • This looks good but [at least one guy](https://serverfault.com/questions/660338/rdp-down-on-windows-server-what-to-do) has had problems after running it - don't know if it's isolated seen other people say it's great. – Mark Oct 08 '15 at 22:20