I have a client that needs to pass PCI security scan on their office WAN. Their WAN has some NAT rules that forward certain protocols to their internal SBS 2011 server. The scan is failing in part because SBS 2011 allows SSL 2.0 communication for the user portal while SSL 3.0 or TLS 1.0 and above are required for a passing grade for this specific PCI scan.
You’ll need to do some registry editing and then reboot the server. Make sure you have good backups and a service window where the server can be done. Then read and observe Microsoft KB187498. Or if you’re too lazy to click a link, read and do this:
- Open regedit and navigate to the following registry key: HKEY_LOCAL_MACHINESystemCurrentControlSetControl SecurityProvidersSCHANNELProtocolsSSL 2.0
- Create a new key and name it Server
- Under that new key, create a new DWORD (32-bit) value and name it “Enabled” with the value of 0.
- Close everything and reboot the server.
To test and verify, I recommend reading my blog post “<a href=”http://bit.ly/1eR3Uom”>How Can I Determine What SSL/TLS Versions Are Available for HTTPS Communication?</a>” Running the command
openssl s_client -connect my.hostname.com:443 -ssl2 returned the following result, proving that SSL 2.0 was no longer an option on that server.
CONNECTED(00000003) write:errno=104 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 45 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : SSLv2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1392250044 Timeout : 300 (sec) Verify return code: 0 (ok) ---
SSL 3.0 and beyond is enabled by default in Windows Server 2008 and beyond, so most SSL communications would be SSL 3.0, however the option for 2.0 did exist and can cause some PCI scans to fail if the server is publicly accessible.