Recently I was working with a client who was struggling to remediate two vulnerabilities identified by their quarterly perimeter PCI scans. Specifically, they needed to remediate the following vulnerabilities:
- SSLv2 Enabled
- Weak SSL Encryption Ciphers Enabled
With these vulnerabilities being so common amongst those bound to the PCI DSS, I would have hoped that better remediation information existed beyond Microsoft’s overcomplicated Knowledgebase Article,
In response to this lack of quality remediation information, I created the following Windows Registry file that aims to simplify the remediation of both vulnerabilities. This file has been tested on IIS 6.0 (Windows 2003) and disables the following weak ciphers, hashing functions, and protocols associated with SSL:
- Weak Ciphers – DES 56, NULL, RC2 40⁄128, and RC4 40/56/128
- Weak Hash Functions – MD5
- Weak Protocols – PCT 1.0, and SSL 2.0
You can download the registry file from our website, here.
The standard “Backup your registry first” and “Test on non-production systems first” rules apply. Happy remediating! (and more importantly…SECURING!!!)