6

I have disabled the SSLv3 on Windows 2012 sever using the following method: http://blog.brankovucinec.com/2014/11/13/disable-the-sslv3-protocol-on-microsoft-windows-servers/

Around the same thing is here too https://support.microsoft.com/en-us/kb/187498/

But when I tested it via Internet explorer (setting the advance setting to only use SSL 3) and I can still access it over https. Is there something I am missing?

progrAmmar
  • 171
  • 2
  • 2
  • 6
  • 2
    Any time I want to change these settings on an Exchange or web server I like to use IIS Crypto you can find it [here](https://www.nartac.com/Products/IISCrypto/). – David V May 18 '15 at 02:45
  • Will it work to disable SSLv3? – progrAmmar May 19 '15 at 07:06
  • 1
    It will but a few caveats you should be aware of. SSL2/3 are enabled by default, and until server 2012 TLS was not enabled by default. Also the web server will need to be restarted as it loads the protocols it's configured to on boot. – David V May 19 '15 at 11:56

1 Answers1

3

From your posting it looks like you wish to disable SSL 3.0 on a IIS webserver. If that is the case you are totally right with your links and the following registry key should disable it:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Server]
"Enabled"=dword:00000000

Keep noted this will disable only SSL 3.0 for server components. If you wish to disable as well SSL 3.0 for the build in server IE browser you need to use:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Client]
“DisabledByDefault”=dword:00000001

After you disabled SSL 3.0 for the server you need to restart the whole Windows 2012 Server after that. Additional keep noted that if you use some 3rd party Software on the Windows 2012 server which do not use the MS Schannel implementation (e.g. an Apache server) then you couldn´t control SSL 3.0 via the Microsoft registry key. So if this isn´t working for you it might be that the HTTPS webservice which still allows you to use via SSL 3.0 is not an IIS.

By the way a better option to check if SSL 3.0 is disabled (instead of using a browser) is using nMAP. You can find here a small tutorial how to use nMAP.

BastianW
  • 2,848
  • 4
  • 19
  • 34