Disable the SSLv3 Protocol on Microsoft Windows Servers

As more and more webservers on the internet are disabling SSLv3, because of the Poodlebleed Bug (OpenSSL Announcement, PDF), It is maybe time to disable it aswell in your on-premise environment. In this article I’ll show how to disable this protocol for Microsoft Windows Servers with a simple registry key.

Although SSL 3.0 is almost 15 years old, many servers and web browsers still use it today. When web browsers fail at connecting on a newer SSL version (i.e. TLS 1.0, 1.1, or 1.2), they may fall back to a SSL 3.0 connection. This is where the trouble begins.

Because a network attacker can cause connection failures, including the failure of TLS 1.0/1.1/1.2 connections, they can force the use of SSL 3.0 and then exploit the poodle bug in order to decrypt secure content transmitted between a server and a browser.

If you’re an Office 365 administrator of your organization, you probably have seen the announcement that Microsoft is disabling SSLv3 support starting from December 1, 2014.

111214_1353_DisabletheS1

You can check if your webserver is vulnerable for this bug with a form on this website: http://poodlebleed.com/. If you want more information, see Microsoft Security Advisory 3009008, here you can find also a description how to disable SSLv3 on client computers.

You can disable support for the SSL 3.0 protocol on Windows by following these steps:

  1. Click Start, click Run, type regedt32 or type regedit, and then click OK.
  2. In Registry Editor, locate the following registry key:

Note If the complete registry key path does not exist, you can create it by expanding the available keys and using the New -> Key option from the Edit menu.

  1. On the Edit menu, click Add Value.
  2. In the Data Type list, click DWORD.
  3. In the Value Name box, type Enabled, and then click OK.

Note If this value is present, double-click the value to edit its current value.

  1. In the Edit DWORD (32-bit) Value dialog box, type 0 .
  2. Click OK. Restart the computer.

Note This workaround will disable SSL 3.0 for all server software installed on a system, including IIS.

Note After applying this workaround, clients that rely only on SSL 3.0 will not be able to communicate with the server.