For security reasons, you may need to disable SSLv2 on a domain controller to force secure LDAP communication using SSLv3 or TLSv1. The following article, What is the Point of Encryption if you Don't Know Who For? offers a description and comparison between SSLv2, SSLv3, and TLSv1 encryption methods (see the section, SSLv2 versus SSLv3/TLSv1 and Assurance Level).
To disable SSLv2 on a Windows Server 2008 or Windows Server 2008 R2 domain controller perform the following steps:
Open the registry and create a key named Server under the following entry :
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]
Under the registry key Server, create a DWORD value named Enabled and change the value data to 00000000.
Reboot.
For more information see KB 245030: How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dll If you have any applications that connect to the domain controller using SSL v2.0, they will fail to connect. You can use a network monitoring tool to analyze network traffic to see if there are any packets using SSL v2.0.
This article was derived from the DS forum post, Is it possible to disable SSLv2 on a Windows 2008 domain controller so that secure LDAP communication is forced to use SSLv3 or TLSv1? (http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/1cf01f33-9cbe-4b76-b01c-83923c4cda04).
Maheshkumar S Tiwari edited Revision 9. Comment: Added Tag
What is the difference between SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server\DisabledByDefault and SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server\Enabled ? Which is the proper entry to use for Win2K8 R2?
Greetings , Creating DWORD key called "DisabledByDefault" and setting the data to "=dword:00000001 is to way to go on WIN08 R2 ,
if you go by this article after completing steps and rebooting problems server ( WIN08 R2) , the SSLv2 will still come up on the security scan as "enabled"
Cheers,
ocd
The link to "What's the point of encryption if you don't know who for" (www.quotezuki.com/.../3301) is dead. Possible new candidate for the link (PDF with contents of article): www.instantssl.com/.../encryption.pdf
It would be nice if this can be scripted, especially if you have quite a few servers to go through this process manually. I am sure someone would say create a .reg file and use it to update the registry. :)
maybe add :
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" /t REG_DWORD /v DisabledByDefault /d 1 /f
as suggested by ocd above
sorry - first post seemed to be lost
execute all of the 3 lines to be on the secure side:
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" /ve /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" /t REG_DWORD /v Enabled /d 0 /f
Everyone, thanks for providing valuable comments. Please feel free to edit the Wiki article directly when you see the need for improvements, additional information, bad links, etc. The Wiki is a collaborative vehicle designed for direct community edits. The more edits, the better! :-)
You could also utilize Group Policy Preference to add the needed keys then you do not have to worry about re-running the commands when you add additional domain controllers. I would check the addition of the Reg Keys on new OS domain controllers (i.e. Windows 2012)
I would recommend using the Group Policy Preferences with a target of the Domain Controller security group for the registery addition. To ensure that the Keys that are added can be tracked for later Admins, and that new Domain controllers that come online will also be set to disable SSLv2.