When our system is scanned by security it is coming up with weak cipher errors and points to the fact they are communicating using SSLv2. Our thought was to disable SSLv2 system wide instead of for each application as there are about 20 or so offending ports and to track down what application is on what port can be a time consuming process.
We added the registry key:
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server and set a DWORD value to 0
This seems to stop some applications from using SSLv2 as port 443 but not on any other ports for instance SPLUNK 8089. Also, ports 636 and 3269 for LDAP are not using SSLv2 at all but TLS and still come up as a security finding.
Is this setting a system wide setting or does it only have an effect on Windows services? If we force applications to use SSLv3 we should be able to get past the weak cipher ding. Any ideas?
Best Answer
From my understanding, that registry setting only affects services/exes that use schannel.dll for SSL on the server. If there is another web service (such as splunk) that doesn't rely on that dll for SSL, you will have to refer to the vendor documentation for how to disable weak SSL ciphers for that application.
Look more closely at the finding for LDAP on 636 and 3269 and make sure it isn't just an informational finding. I believe those use schannel as well and would be affected by the registry setting you have already defined.