On IIS, how do I patch the SSL 3.0 POODLE vulnerability (CVE-2014-3566)?
How do I patch CVE-2014-3566 on a Windows Server 2012 system running IIS?
Is there a patch in Windows Update, or do I have to do a registry change to disable SSL 3.0?
There is no "patch". It's a vulnerability in the protocol, not a bug in the implementation.
In Windows Server 2003 to 2012 R2 the SSL / TLS protocols are controlled by flags in the registry set at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols.
To disable SSLv3, which the POODLE vulnerability is concerned with, create a subkey at the above location (if it's not already present) named SSL 3.0 and, under that, a subkey named Server (if it's not already present). At this location (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Server) create a DWORD value named Enabled and leave it set at 0.
Disabling SSL 2.0, which you should also be doing, is done the same way, except that you'll be using a key named SSL 2.0 in the above registry path.
I haven't tested all versions, but I think it's probably safe to assume that a reboot is necessary for this change to take effect.
Just for ease of installation I derived this "disable ssl 2 and 3.reg" file from Evan's answer above:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000
Powershell to disable SSL2 and SSL3:
2..3 | %{ New-ItemProperty -Path "HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL $_.0\Server" -Name Enabled -PropertyType "DWORD" -Value 0 -Force }
There is a free utility from Nartac that you can use to disable the protocols.
https://www.nartac.com/Products/IISCrypto/Default.aspx
Here's a PowerShell that will test for the presence of the registry keys, create them if needed, and then enter the necessary values to disable SSL 2.0 and SSL 3.0
$regPath1 = 'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0'
$regPath2 = 'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Server'
$regPath3 = 'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0'
$regPath4 = 'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Server'
If(!(Test-Path -Path $regPath1))
{
New-Item -Path $regPath1 -Force
}
If(!(Test-Path $regPath2))
{
New-Item -Path $regPath2 -Force
}
New-ItemProperty -Path $regPath2 -Name DisabledByDefault -PropertyType DWORD -Value "1" -Force
New-ItemProperty -Path $regPath2 -Name Enabled -PropertyType DWORD -Value "0" -Force
If(!(Test-Path $regPath3))
{
New-Item -Path $regPath3 -Force
}
If(!(Test-Path $regPath4))
{
New-Item -Path $regPath4 -Force
}
New-ItemProperty -Path $regPath4 -Name DisabledByDefault -PropertyType DWORD -Value "1" -Force
New-ItemProperty -Path $regPath4 -Name Enabled -PropertyType DWORD -Value "0" -Force
This can be deployed using SCCM or command line - just be sure to run the SCCM job or command line as Administrator. Some websites with the registry information indicate that a reboot is required after the registry keys are created and/or modified.