PCI Compliance: Disabling SSL v2 and weak SSL ciphers
Disclaimer: The items mentioned in the following blog article involve making changes to your server’s registry. Incorrectly modifying your server’s registry can result in downtime or abnormal behavior causing unforeseen consequences. If you do not have much experience working with the registry or if you are not comfortable making these changes it is highly recommended that you seek assistance from an experienced Windows Server administrator. If you are an Applied Innovations client with a self-managed dedicated server or VPS you can purchase a support ticket and one of our experienced administrators will complete this task for you. For Applied Innovations managed server clients these changes can be made by simply opening a ticket with support (support@appliedi.net).
There are many issues that can cause a site to fail a PCI scan, but one of the most common reasons is having SSL version 2.0 and weak SSL ciphers enabled on the server. This is the standard default behavior on Windows Server 2003 so corrective action must be taken to disable these items. Weak SSL ciphers should already be disabled on Windows Server 2008 by default but you still have to disable SSL v2.0. You should ensure you have a full working backup of your server’s system state (which includes the registry) before making any of the following changes.
To disable SSL v2.0 (necessary for Windows Server 2003 and 2008):
1. Click Start, click Run, type regedit, and click OK.
2. In the Registry Editor browse to the following location: HKey_Local_MachineSystemCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 2.0Server
* For Windows Server 2008 you first have to create the Server key so browse to this location: HKey_Local_MachineSystemCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 2.0
a. Right click on the SSL 2.0 folder, select New, and click Key.
b. Name the key exactly as shown: Server
3. Right click on the Server Key, select New, and click DWORD Value (the exact name on Windows Server 2008 is DWORD (32-bit) Value)
4. Name the key exactly as shown: Enabled
5. Verify that the key is set to type REG_DWORD with a Data value of 0x00000000 (0)
6. If you have a Windows 2003 Server you’ll need to follow the procedure outlined below for disabling weak SSL ciphers. If you have a Windows 2008 server you still need to reboot your server to force the changes to take effect but you are done making all necessary registry changes.
To disable weak SSL ciphers (necessary for Windows 2003):
1. Click Start, click Run, type regedit, and click OK.
2. In the Registry Editor browse to the following location: HKey_Local_MachineSystemCurrentControlSetControlSecurityProvidersSCHANNELCiphers
3. Right click on the DES 56/56 key, select New, and click DWORD Value.
4. Name the key exactly as shown: Enabled
5. Verify that the key is set to type REG_DWORD with a Data value of 0x00000000 (0)
6. Repeat steps 3-5 for the following keys: RC2 40/120, RC4 40/128, RC4 56/128
7. Reboot your server to force these changes to take effect.
Taking the above steps will correct PCI scanning issues related to having SSL v2 and weak SSL ciphers enabled.