Tag Archives: SSL

How to remove SSL 2.0 Server-Side Support from Windows Server 2008 R2

SSL 2.0 was released in 1995 but almost immediately replaced by SSL 3.0 in 1996 due to a number of security vulnerabilities. Nevertheless, Microsoft still enables server-side SSL 2.0 by default in Windows 7 and Windows Server 2008 R2… which will cause your server to fail any PCI compliance testing.

Disabling Server-Side SSL 2.0 is actually quite simple, you just need to create a key and reboot the server:

Key: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server
Name: Enabled
Value: 0


After you’ve disabled it, you can verify functionality by using this free SSL Server Test from Qualys SSL Labs.

There is no need to make any modifications to Internet Informations Services (IIS) or Threat Management Gateway (TMG)… this is strictly an operating system level function.

If you’re interested in where it’s at, Client-Side SSL 2.0 is disabled by this registry key which should already be present:

Key: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client
Name: DisabledByDefault
Value: 1

Note that you can follow the same process for just about any version of Windows since 2003.

How to Create a Certificate Request in Windows Server 2008 R2 for Use with Threat Management Gateway 2010

For a recent project I needed to create a certificate request for use with a new listener on Threat Management Gateway 2010. I wanted some specific criteria on the cert, so I really needed to use the Certificates Snap-In in Windows to create the necessary .req file. I had a little difficulty to get this to work right at first, but it turns out there are just a couple of tricks to getting this to work right.

First, open the Certificates snap-in for the local computer and navigate down to the Personal – Certificates certificate store. Right-click on it and go to All Tasks – Advanced Operations – Create Custom Request.

Click Next on the first information screen that comes up, and then verify that Proceed Without Enrollment Policy is highlighted on the following screen. Now Click Next.

Now, by default, the Template combo box has “(No Template) CNG Key” selected, but this won’t work for Threat Management Gateway, as it does not support CNG keys. So you need to change this to “(NO Template) Legacy Key” and click Next (the default selection of PKCS #10 is fine).

On the next screen, you need to click the down arrow next to details, which will expose the Properties button.

Click Properties and fill out the form with the following.

General Tab
Friendly Name – The friendly name is however you want to refer to the certificate, I usually use the full URL so I know exactly why I got this particular certificate, but you can use whatever you want.

Subject Tab
At a minimum you should use the same fields I have listed in Subject Name.

Alternative names are optional, but if you have other URLs the certificate should be valid for you would list them here. You need to verify that the type of certificate you intend to purchase from your certificate authority supports alternative names.

Extensions Tab
There are five subsections under this tab; Key Usage, Extended Key Usage, Basic Constraints, Include Symmetric Algorithm and Custom Extension Definition.

Under Key Usage, you would normally select Digital Signature and Key Encipherment. Your application may vary, but this is a typically what you would use to publish a web site.

For Extended Key Usage, you’ll select Server Authentication and Client Authentication.

The final three you’ll leave as the defaults. Again, you may need them in some specific applications, but this is for publishing a web site or other web service.

Private Key
There are four subsections under this tab; Cryptographic Service Provider, Key Options, Key Type, and Key Permissions.

Under Cryptographic Service Provider, you can really select any one, but I typically use Microsoft RSA SChannel Cryptographic Provider (Encryption).

Under Key Options, you will probably want to change the key size to 2048, which is the new minimum for most SSLs…. Any larger and you may have to pay more for your SSL certificate.

Personally, I generally select the option “Make Private Key Exportable” as this allows me to freely back up and move the key to other servers in the array.

The options under Key Type and Key Permissions can be left as the default. Again, under specific circumstances or for specific applications, you may need to set those options, but this is just for a published web site, nothing more.

Hit Apply and then OK, and that should take you back to this screen:

Click next, select where you want the .req file stored, and you’re all done. After you have submitted the request to your Certificate Authority and recived your signed certificate back, you can import it using the Certificates snap-in for Windows. At that point it will be available for assignment to a Lister in Threat Management Gateway.

How to Use a Proxy Server with Microsoft Exchange 2007/2010

If you’re like me and managing an Exchange 2010 infrastructure in an environment that requires the use of a proxy server to access the Internet, you may experience various issues with Exchange.  One issue in particular is that SSL’s issued by an external certificate authority (CA) will not be able to be verified by Exchange.  You’ll get an error such as:

“The Certificate Status could not be determined because the revocation check failed”

The reason for this is that Exchange uses WinHTTP to determine the validity of the certificate.  WinHTTP uses the Web Proxy Auto-Discover Protocol (WPAD) in order to determine if a proxy server is utilized in the installed environment (if it’s specified in DHCP or DNS).

In order to determine what proxy server, if any, Exchange is using run the following command from the Exchange Management Shell (working in either Exchange 2007 or 2010):

netsh winhttp show proxy

If none is specified, or if you wish to change it, run the following command (2003/2008 only):

netsh winhttp set proxy-server="http=myproxy:8080;https=secureproxy:8080" bypass-list= "*.internal.com"

For 2008 R2, use this command:

netsh winhttp set proxy proxy-server="http=myproxy:8080;https=secureproxy:8080" bypass-list= "*.internal.com"

Just change the parts necessary to reflect the settings in your environment.  Note that “myproxy” and “secureproxy” may be the same thing.  Although techically optional, I would highly recommend setting the bypass-list to your local, internal domain name or you may have significant difficulty with the Exchange Management Console/Shell.

If you need to reset it back to direct access, just use this command:

netsh winhttp reset proxy