Wednesday, October 15, 2014

(Quick Post) POODLE workaround on Windows using PowerShell

This quick blog post is for quickly applying workaround on Windows using PowerShell for the POODLE vulnerability. It is more for my own notes, so nothing extraordinary.

The Microsoft Advisory on POODLE suggests "Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, and TLS 1.2 in Group Policy"

Use below PowerShell cmdlet to configure the recommended settings on Windows clients. The cmdlet must be run with Administrative Privileges and makes changes to the Registry.
I tested this with https://www.poodletest.com/ and it works. My Internet Explorer is no longer vulnerable.

Use with Invoke-Command to apply it on multiple machines (needs PowerShell Remoting enabled and Administrative access to the machines. Use -Credential parameter to pass username/passwords) :

Below is an unofficial fix which was doing rounds on twitter, I tested it before looking at the Microsoft workaround. Including it here just for those curious.

========================================================================
Use below PowerShell cmdlets to disable SSL 3.0 on Windows clients. The cmdlets must be run with Administrative Privileges and make changes to the Registry.

Copy-paste friendly version:
Use 'Server' in above Registry keys to disable SSL 3.0 on Servers as well.

I tested this with https://www.poodletest.com/ and it works. My Internet Explorer no longer uses SSL 3.0.
========================================================================

Hope this would be helpful to you.

No comments:

Post a Comment