Server 2003 R2 / Exchange 2007/2010 PCI Compliance

posted Jul 18, 2012, 10:58 AM by Unknown user   [ updated Sep 6, 2012, 6:59 AM ]
You know its time to update your security on public facing servers when exploits like BEAST and CRIME are out there... Here's how to edit registry:

SCHANNEL Key
Start Registry Editor (Regedt32.exe), and locate the following key in the registry.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
SCHANNEL\Protocols SubKey
The Protocols registry key under the SCHANNEL key is used to control the use of protocols supported by the Schannel.dll file and to restrict the protocols use to the TLS server or TLS client.

To prohibit the use of the protocols other than SSL 3.0 or TLS 1.0, change the DWORD value data of the Enabled value to 0x0 in each of the following registry keys under the Protocols key:

    * SCHANNEL\Protocols\PCT 1.0\Client
    * SCHANNEL\Protocols\PCT 1.0\Server
    * SCHANNEL\Protocols\SSL 2.0\Client
    * SCHANNEL\Protocols\SSL 2.0\Server

WARNING: The Microsoft Message Queue current


Set 128bit Cipher:

SCHANNEL\Ciphers Subkey
The Ciphers registry key under the SCHANNEL key is used to control the use of symmetric algorithms such as DES or RC4. The following are valid registry keys under the Ciphers key.

SCHANNEL   Ciphers  128/128 


This subkey refers to 128-bit RC4.

Allow the cipher algorithm, change the DWORD value data of the "Enabled" value to ff ff ff ff.  

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:ffffffff
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"Enabled"=dword:ffffffff


Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
"Enabled"=dword:ffffffff
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168]
"Enabled"=dword:ffffffff

Check your work:  (Port 443)
http://www.serversniff.net/sslcheck.php
Comments