Results 1 to 2 of 2
Thread: Use of SSL by Domain Controllers
2010-03-16, 15:53 #1
- Join Date
- Mar 2010
- Green Bay WI USA
- Thanked 0 Times in 0 Posts
I work in IT at a small bank. We recently had a third party do a vulnerability scan of our servers. The Nessus scan reported that SSL 2.0 is configured on 2 of our Domain Controllers, as were insecure ciphers. One of the machines runs Windows Server 2003, the other Windows Server 2008. I found instructions on MS Technet (Article ID 187498) for disabling SSL 2.0 by adding a Dword "enabled" value = 0 to the appropriate registry key. Other research indicated that the same technique could be used to disable insecure ciphers as well. The article indicated that SSL 3.0 is configured by default on these servers and that in the absence of SSL 2.0, the connection would default to SSL 3.0. One of the technicians here is unconvinced that disabling SSL 2.0 is perfectly safe, and has expressed concern that these domain controllers may want to use it for secure domain related communication. Can anyone shed some light on the subject?
2010-03-16, 16:11 #2
- Join Date
- Dec 2009
- Thanked 1,054 Times in 982 Posts
Your DCs should be using IPsec if you want secure comms, SSL is not a valid protocol unless you also have IIS on the DCs (this is very bad in my book, DCs are top of the security tree).
Maybe you have WSUS installed on the DCs and this means IIS as well?