Jesper M. Christensen

SharePoint and Security

Remember to disable SSL 2.0 on Windows Server 2008 IIS 6/7


During a security scanning on a newly created Microsoft SharePoint 2010 extranet we found that SSL 2.0 was enabled. The report came with this statement:

The remote service accepts connections encrypted using SSL 2.0, which
reportedly suffers from several cryptographic flaws and has been
deprecated for several years. An attacker may be able to exploit
these issues to conduct man-in-the-middle attacks or decrypt
communications between the affected service and clients.”

Microsoft Windows Server 2008 allows this by default for some reason. For the moment the SharePoint Web FrontEnd Server is directly behind a firewall, but handles the SSL requests itself.

To correct this, and make the IIS use stronger SSL versions (SSL 3.0 or TLS), we disabled SSL 2.0 in this way:

  1. Enter the registryeditor (regedit)
  2. Locate the following registry key:
     
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0
  3. Create a new key: Server
  4. Create a new DWORD (32-bit) named Enabled and check the data value is the default 0x00000000 (0) 
  5. Restart the server

image

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: