Harden Windows Server

These are some steps you can take harden a Windows Server. Disable SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1 and RC4 cipher.

Disabling SSL 3.0 will address the Poodle vulnerability, in addition to that you should also disable SSL 2.0, TLS 1.0 and TLS 1.1.

POODLE Vulnerability CVE-2014-3566
The SSL 3.0 protocol was recently shown to have a design error, opening the possibility for man-in-the-middle attacks. Administrators are encouraged to completely disable the SSL 3.0 protocol from their servers, eliminating the potential for a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack.

In Windows Server 2003 to 2012 R2 the SSL / TLS protocols are controlled by flags in the registry. In order to disable SSLv3 you will need to create a registry subkey named “SSL 3.0” at


Next create a subkey under “SSL 3.0” named “Server”. The full path at this time will be

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Server

Finally create a DWORD value named “Enabled” and set it’s value to 0.

Disable SSL 2.0, TLS 1.0 and TLS 1.1 by following the same steps as above.

Disable RC4 Cipher

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128]

RDP will not work after TLS 1 is disabled, to enable go to Remote Desktop Session Host Configuration. Under Configuraton for server – Connections – right click RDP-Tcp and change the Security layer to RDP Security Layer.

About Andrew Lin

Hi, I have always wanted to creat a blog site but never had the time. I have been working in Information Technology for over 15 years. I specialize mainly in networks and server technologies and dabble a little with the programming aspects. Andrew Lin

View all posts by Andrew Lin →