All Collections
Remediations
SSL Version 2 and 3 Protocol Detection (Windows) (IIS Crypto) Vulnerability
SSL Version 2 and 3 Protocol Detection (Windows) (IIS Crypto) Vulnerability
Luke Peach avatar
Written by Luke Peach
Updated over a week ago

The SSL Version 2 and 3 Protocol Detection Vulnerability when detected with a vulnerability scanner will report it as a CVSS 9.8 (v3).

CVSS:

CVSS is a scoring system for vulnerability systems, its an industry standard scoring system to mark findings against a specific number ranging from 0 to 10. They are shown as:

The SSL Version 2 and 3 Protocol Detection Vulnerability Information

Both SSL and TLS are cryptographic protocols designed to secure communications over a network. Originally there were SSL version 1 and version 2. But they had a lot of security holes. Version 3 however did and was widely supported. The problem with version 3 was with the Poodle exploit and people started getting rid of SSLv3. TLS v1.0 was largely based on, (but not compatible with) SSLv3. TLS 1.1 replaced v1.0 (circa 2006). Problems with it prompted TLS 1.2 (circa 2008). Then that was the standard until TLS v1.3 (circa 2018). However: Just because you use the newest protocols does not necessarily mean you are more secure: Most documentation you read says TLS 1.2 ‘Should’ be secure. This is because these protocols are built on cryptographic ciphers and they are only as secure as those ciphers. You can corrupt a strong protocol with a weak cipher and render it less secure. In some cases, you may need to do this, or you might simply enable a web cipher to fix a ‘problem’ without understanding the consequences.

Remediation

To help remediate this vulnerability, this document will make the use of IIS Crypto tool.

To download IIS Crypto please visit: https://www.nartac.com/Products/IISCrypto/Download

Enable TLS 1.2

To enable TLSv1.2 please check the box for TLS 1.2 as shown in the image below.

Disable SSL 2.0

To disable SSLv2.0 please uncheck the box for SSL 2.0 as shown in the image below.

Disable SSL 3.0

To disable SSLv3.0 please uncheck the box for SSL 3.0 as shown in the image below.

Disabling TLS 1.0

To disable TLSv1.0 please uncheck the box for TLS 1.0 as shown in the image below.

Disabling TLS 1.1

To disable TLSv1.1 please uncheck the box for TLS 1.1 as shown in the image below.

Important Note

After making all the changes required, reboot the server for the changes to take effect. Restarting the services will now implement the changes.

Did this answer your question?