How do I patch CVE-2014-3566 on a Windows Server 2012 system running IIS?
Is there a patch in Windows Update, or do I have to do a registry change to disable SSL 3.0?
How do I patch CVE-2014-3566 on a Windows Server 2012 system running IIS?
Is there a patch in Windows Update, or do I have to do a registry change to disable SSL 3.0?
There is no "patch". It's a vulnerability in the protocol, not a bug in the implementation.
In Windows Server 2003 to 2012 R2 the SSL / TLS protocols are controlled by flags in the registry set at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols
.
To disable SSLv3, which the POODLE vulnerability is concerned with, create a subkey at the above location (if it's not already present) named SSL 3.0
and, under that, a subkey named Server
(if it's not already present). At this location (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Server
) create a DWORD value named Enabled
and leave it set at 0
.
Disabling SSL 2.0, which you should also be doing, is done the same way, except that you'll be using a key named SSL 2.0
in the above registry path.
I haven't tested all versions, but I think it's probably safe to assume that a reboot is necessary for this change to take effect.
Just for ease of installation I derived this "disable ssl 2 and 3.reg" file from Evan's answer above:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000
Powershell to disable SSL2 and SSL3:
2..3 | %{ New-ItemProperty -Path "HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL $_.0\Server" -Name Enabled -PropertyType "DWORD" -Value 0 -Force }
Here's a PowerShell that will test for the presence of the registry keys, create them if needed, and then enter the necessary values to disable SSL 2.0 and SSL 3.0
$regPath1 = 'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0'
$regPath2 = 'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Server'
$regPath3 = 'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0'
$regPath4 = 'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Server'
If(!(Test-Path -Path $regPath1))
{
New-Item -Path $regPath1 -Force
}
If(!(Test-Path $regPath2))
{
New-Item -Path $regPath2 -Force
}
New-ItemProperty -Path $regPath2 -Name DisabledByDefault -PropertyType DWORD -Value "1" -Force
New-ItemProperty -Path $regPath2 -Name Enabled -PropertyType DWORD -Value "0" -Force
If(!(Test-Path $regPath3))
{
New-Item -Path $regPath3 -Force
}
If(!(Test-Path $regPath4))
{
New-Item -Path $regPath4 -Force
}
New-ItemProperty -Path $regPath4 -Name DisabledByDefault -PropertyType DWORD -Value "1" -Force
New-ItemProperty -Path $regPath4 -Name Enabled -PropertyType DWORD -Value "0" -Force
This can be deployed using SCCM or command line - just be sure to run the SCCM job or command line as Administrator. Some websites with the registry information indicate that a reboot is required after the registry keys are created and/or modified.
Or grab a copy of IISCrypto and click the best practices button, then uncheck SSL 3.0 and then apply, then reboot
You don't have to disable SSL3. You can enable SSL3 and have POODLE mitigated.
# Copy and paste this in PowerShell then restart your server
$cipherSuitesOrder = @(
'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256',
'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384',
'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256',
'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384',
'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256',
'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384',
'TLS_RSA_WITH_AES_128_CBC_SHA256',
'TLS_RSA_WITH_AES_128_CBC_SHA',
'TLS_RSA_WITH_AES_256_CBC_SHA256',
'TLS_RSA_WITH_AES_256_CBC_SHA',
'TLS_RSA_WITH_RC4_128_SHA',
'TLS_RSA_WITH_3DES_EDE_CBC_SHA',
'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256',
'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256',
'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384',
'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384',
'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256',
'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384',
'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256',
'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384'
)
$cipherSuitesAsString = [string]::join(',', $cipherSuitesOrder)
New-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002' \
-name 'Functions' -value $cipherSuitesAsString -PropertyType 'String' -Force | Out-Null
With these settings you would still have IE6 support (with SSLv3 using RC4) and have a more than acceptable configuration security wise. Only IE6 and really old client would be using SSLv3 or RC4 ciphers.
There's a good PowerShell script that helps with IIS 7.5 & 8 configuration:
This PowerShell script setups your Microsoft Internet Information Server 7.5 and 8.0 (IIS) to support TLS 1.1 and TLS 1.2 protocol with Forward secrecy. Additionally it increases security of your SSL connections by disabling insecure SSL2 and SSL3 and and all insecure and weak ciphers that a browser may fall-back, too. This script implements the current best practice rules.
https://www.hass.de/content/setup-your-iis-ssl-perfect-forward-secrecy-and-tls-12