Tag Archives: Secure SSL

Disable SSLv2, SSLv3 and Enable TLS 1.2 and pass Qualis SSL Test

Leave a reply

I was tasked with securing one of our internet facing web servers against the POODLE SSL vulnerability and weaker old SSL technologies. After doing many searches online, I finally wrote a script to run against our Windows 2008 R2 server to disable the protocols in IIS via the registry. The following is a simple script that you can run to change the STUNNEL ciphers to make your server secure.

FIRST and most important, backup the registry hive that you will be changing. << You have been warned! Do this by going to the following hive and right clicking it and exporting the hive:

HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\

Then simply run this script and reboot your server:

##################################
#
# Author: Ed Rockwell
#
# This script modifys SSL to remove old ciphers and enables TLS 1.2 on Windows Server 2008 R2 and Windows 7
# To test and pass Qualys Scanning:
# https://www.ssllabs.com/ssltest/analyze.html?d=www.yourdomain.com &lt;&lt; Change this to whatever site you want to test
#

# Disables SSL 3.0 - Creates Keys - These keys do not exist so they need to be created prior to setting values.
md "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0"
md "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server"
md "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client"

# Disables SSL 3.0 - Creates DWords - for client and server SCHANNEL communications
New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" -name "Enabled" -Value 0 -PropertyType "DWord"
New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" -name "DisabledByDefault" -value 1 -PropertyType "DWord"
New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client" -name "Enabled" -Value 0 -PropertyType "DWord"
New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client" -name "DisabledByDefault" -value 1 -PropertyType "DWord"

# Disables SSL 2.0 - Creates Keys - These keys do not exist so they need to be created prior to setting values.
md "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server"

# Disables SSL 2.0 for client and server SCHANNEL communications
New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" -name "Enabled" -Value 0 -PropertyType "DWord"
New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" -name "DisabledByDefault" -value 1 -PropertyType "DWord"
New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client" -name "Enabled" -Value 0 -PropertyType "DWord"
# This is by default already there - New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client" -name "DisabledByDefault" -value 1 -PropertyType "DWord"

# Enables TLS 1.2 on Windows Server 2008 R2 and Windows 7
# These keys do not exist so they need to be created prior to setting values.
md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2"
md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server"
md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client"

# Enables TLS 1.2 for client and server SCHANNEL communications
New-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" -name "Enabled" -value 1 -PropertyType "DWord"
New-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" -name "DisabledByDefault" -value 0 -PropertyType "DWord"
New-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -name "Enabled" -value 1 -PropertyType "DWord"
New-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -name "DisabledByDefault" -value 0 -PropertyType "DWord"