discovering servers with SSLv2 enabled
I'm looking to discover what servers in my inventory have SSL v2.0 enabled. For security reasons, I'd like to see that it gets disabled, but I'm not finding information that I can easily query that tells me it is 'enabled' other than executing an openssl command to each machine.
I did find a couple of articles that describe adding/changing the registry to a particular value, but I don't see what exactly I can query from the Windows registry via KACE Scripting to locate who is affected.
How to disable PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0 in Internet Information Services
Disable SSLv2 for Microsoft IIS7 under Windows Server 2008 64bit
When I peruse Windows Registry on one server that SSLv2 is enabled and another that it is not. The key 'HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 2.0\' looks the same between the two. There is no 'Enabled' DWORD name preexisting.
Any help to point me in the right direction is much appreciated.
Thanks.
I did find a couple of articles that describe adding/changing the registry to a particular value, but I don't see what exactly I can query from the Windows registry via KACE Scripting to locate who is affected.
How to disable PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0 in Internet Information Services
Disable SSLv2 for Microsoft IIS7 under Windows Server 2008 64bit
When I peruse Windows Registry on one server that SSLv2 is enabled and another that it is not. The key 'HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 2.0\' looks the same between the two. There is no 'Enabled' DWORD name preexisting.
Any help to point me in the right direction is much appreciated.
Thanks.
0 Comments
[ + ] Show comments
Answers (2)
Please log in to answer
Posted by:
cblake
13 years ago
Using the openssl command you could maybe use a custom inventory rule:
ShellCommandTextReturn(command)
Depending on the data at the command line, that could return it to the K1 database.
Otherwise you could use the CI to return the registry value if it existed.
ShellCommandTextReturn(command)
Depending on the data at the command line, that could return it to the K1 database.
Otherwise you could use the CI to return the registry value if it existed.
Posted by:
fauveld
13 years ago
cblake, that sounds promising. Let me get this straight because I'm new to KACE. The Custom Inventory command would look something like...
ShellCommandTextReturn(openssl s_client -ssl2 -connect 127.0.0.1:443)
Is there a means of querying the openssl results for something descriptive like "ssl handshake has read"?
There's probably a better means than what I'm thinking, but I appreciate the help.
ShellCommandTextReturn(openssl s_client -ssl2 -connect 127.0.0.1:443)
Is there a means of querying the openssl results for something descriptive like "ssl handshake has read"?
There's probably a better means than what I'm thinking, but I appreciate the help.
Rating comments in this legacy AppDeploy message board thread won't reorder them,so that the conversation will remain readable.