posted on March 07, 2011 06:10
Disclaimer: The items mentioned in the following article involve making changes to your server’s registry. Incorrectly modifying your server’s registry can result in downtime or abnormal behavior causing unforeseen consequences. If you do not have much experience working with the registry or if you are not comfortable making these changes it is highly recommended that you seek assistance from an experienced Windows Server administrator.
There are many issues that can cause a site to fail a PCI scan, but one of the most common reasons is having SSL version 2.0 and weak SSL ciphers enabled on the server. This is the standard default behavior on Windows Server 2003 so corrective action must be taken to disable these items. Weak SSL ciphers should already be disabled on Windows Server 2008 by default but you still have to disable SSL v2.0. You should ensure you have a full working backup of your server’s system state (which includes the registry) before making any of the following changes.
To disable SSL v2.0 (necessary for Windows Server 2003 and 2008):
1. Click Start, click Run, type regedit, and click OK.
2. In the Registry Editor browse to the following location: HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server
* For Windows Server 2008 you first have to create the Server key so browse to this location: HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0
a. Right click on the SSL 2.0 folder, select New, and click Key.
b. Name the key exactly as shown: Server
3. Right click on the Server Key, select New, and click DWORD Value (the exact name on Windows Server 2008 is DWORD (32-bit) Value)
4. Name the key exactly as shown: Enabled
5. Verify that the key is set to type REG_DWORD with a Data value of 0×00000000 (0)
6. If you have a Windows 2003 Server you’ll need to follow the procedure outlined below for disabling weak SSL ciphers. If you have a Windows 2008 server you still need to reboot your server to force the changes to take effect but you are done making all necessary registry changes.
To disable weak SSL ciphers (necessary for Windows 2003):
1. Click Start, click Run, type regedit, and click OK.
2. In the Registry Editor browse to the following location: HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers
3. Right click on the DES 56/56 key, select New, and click DWORD Value.
4. Name the key exactly as shown: Enabled
5. Verify that the key is set to type REG_DWORD with a Data value of 0×00000000 (0)
6. Repeat steps 3-5 for the following keys: RC2 40/120, RC4 40/128, RC4 56/128
7. Reboot your server to force these changes to take effect.
Taking the above steps will correct PCI scanning issues related to having SSL v2 and weak SSL ciphers enabled.