Friday, 20 February 2009

Disable SSLv2 in IIS 6 for PCI Compliance

Anyone working on PCI Compliance will know the restrictions placed on IIS. The recommendations are only common sense but remarkably few companies have implemented them.

SSLv2
SSLv2 has always been full of holes and there is now very little need for it to be enabled on any server. Almost no clients require it and if it is enabled it is potentially a serious security problem.

  • Open Registry Editor.

  • Select HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server

  • On the Edit menu select New then DWORD Value

  • Name the new value Enabled

  • Ensure the value is set to 0

  • Restart the server


Full details on disabling SSLv2 can be found in the following MS knowledge base article:
http://support.microsoft.com/kb/187498

Cryptographic Algorithms
If the scan for PCI compliance has picked up SSLv2 then it will almost certainly have warned about a number of weak algorithms (http://support.microsoft.com/kb/245030)

The following list need to be disabled to ensure the only Cipher algorithms available are 128 bit+ :
RC4 64/128
RC4 56/128
RC2 56/128
RC2 56/56
RC4 40/128
RC2 40/128

To disable a cipher:

  • Open Registry Editor.

  • Select HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers

  • Select the key for the cipher you wish to disable

  • On the Edit menu select New then DWORD Value

  • Name the new value Enabled

  • Ensure the value is set to 0

  • Restart the server


It is also worth considering disabling the MD5 hash as well, although be very careful that it is definitely not in use!

To disable MD5:

  • Open Registry Editor.

  • Select HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5

  • Select the key for the cipher you wish to disable

  • On the Edit menu select New then DWORD Value

  • Name the new value Enabled

  • Ensure the value is set to 0

  • Restart the server

No comments: