We are trying to disable SSL V3 on numerous windows servers; as a part of it , registries are being updated remotely via script.
Problem is lots of reboots are required post registry change. Is there a way around it , can service be restarted on the server to not accept SSL V3 anymore post registry change?
Edit: Little more clarification, this is about "SSL V3 server" disable; on windows 2012 R2 Servers.
Best Answer
Yes... probably... if you're talking about applications that call into schannel.dll.
You mentioned "Servers" and you mentioned "SSlv3" which is a protocol. Changes to this registry key requires a reboot.
Read this Microsoft article: https://support.microsoft.com/en-us/kb/245030
That's basically the bible of this topic.
Notice that the article says "Changes to the CIPHERS key or the HASHES key take effect immediately, without a system restart."
However, you are changing the PROTOCOLS key. So, restart.
EDIT: Oh, I forgot to mention the most important part -- changes to this registry key, they only affect applications that call into the Schannel DLL. (Such as IIS, RDP, SQL Server, etc.) They have NO EFFECT on applications that use a third party library such as OpenSSL. In those apps, it is impossible for us to know whether it will require a reboot or not because it depends on the app.