Harden Windows Server

June 10, 2016
By

These are some steps you can take harden a Windows Server. Disable SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1 and RC4 cipher.

Disabling SSL 3.0 will address the Poodle vulnerability, in addition to that you should also disable SSL 2.0, TLS 1.0 and TLS 1.1.

POODLE Vulnerability CVE-2014-3566
The SSL 3.0 protocol was recently shown to have a design error, opening the possibility for man-in-the-middle attacks. Administrators are encouraged to completely disable the SSL 3.0 protocol from their servers, eliminating the potential for a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack.

In Windows Server 2003 to 2012 R2 the SSL / TLS protocols are controlled by flags in the registry. In order to disable SSLv3 you will need to create a registry subkey named “SSL 3.0” at

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols

Next create a subkey under “SSL 3.0” named “Server”. The full path at this time will be

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Server

Finally create a DWORD value named “Enabled” and set it’s value to 0.

Disable SSL 2.0, TLS 1.0 and TLS 1.1 by following the same steps as above.

Disable RC4 Cipher

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
“Enabled”=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
“Enabled”=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128]
“Enabled”=dword:00000000

RDP will not work after TLS 1 is disabled, to enable go to Remote Desktop Session Host Configuration. Under Configuraton for server – Connections – right click RDP-Tcp and change the Security layer to RDP Security Layer.

Be Sociable, Share!

Tags:

Leave a Reply