Batch Files – Disable SSL 2.0 and Harden IIS Security in IIS7

Posted on by No Comments ↓

 

SSL2 is not actually disabled by default in IIS7 which comes with Windows 2008. This means you are going to fail that PCI Security Scan. Not a big deal as it’s relatively easy to fix with the following script.

This of course is a “use at your own risk” script and I highly recommend backing up your registry first.

Prior to running this script, I would first like to verify SSL2 is actually Enabled. I’ll use “OpenSSL” for this by browsing to “C:\Program Files\GNUWin32\bin” with the following command.

type ” s_client -connect servername:443 -cipher LOW:EXP ”

Basically, if it connects and displays certificate information, then SSL2 is enabled. Once properly configured you will get one of the following.

CONNECTED<00000003>
Write:errno=113

Or

CONNECTED<00000003>
1324:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428:

On to the fix…

    @Echo REM ~~~ This Batch File Will disable SSL 2.0 ~~~ pause REG EXPORT "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols"
    c:\restoreSSL.reg reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" /V
    Enabled /t REG_DWORD /d "0" /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server"
    /V Enabled /t REG_DWORD /d "0" /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128"
    /V Enabled /t REG_DWORD /d "0" /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128"
    /V Enabled /t REG_DWORD /d "0" /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL"
    /V Enabled /t REG_DWORD /d "0" /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56"
    /V Enabled /t REG_DWORD /d "0" /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128"
    /V Enabled /t REG_DWORD /d "0" /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128"
    /V Enabled /t REG_DWORD /d "0" /f IISRESET

Now that you have hardened the server, you are ready to reboot and test using OpenSSL or by simply going to this site.

http://foundeo.com/products/iis-weak-ssl-ciphers/test.cfm