Setup No SSL v3 - SQL-FineBuild/Common GitHub Wiki

Previous Setup TLS 1.2 Manual Install Setup Group Membership Next

FineBuild can disable Secure Sockets Layer v3 (SSL v3).

SSL v3 is vulnerable to hacking and is considered obsolete and it should be disabled wherever possible.

Security Compliance

Setup No SSL v3 configuration helps to reduce the network surface area available for attack. If you setup Security Compliance then Setup No SSL v3 configuration will always be implemented.

Group Policy Management

The Setup No SSL v3 configuration can be enforced by Group Policy Management.

FineBuild Setup No SSL v3

Processing of Setup No SSL v3 relates to Process Id 1DH in the FineBuild1Preparation script, and is controlled by the parameters below:

Install Parameter Build SQL Version Value
/SetupNoSSL3: FULL Any Yes
/SetupNoSSL3: CLIENT Any Yes
/SetupNoSSL3: WORKSTATION Any Yes

Top

Manual Setup No SSL v3

The following steps show what you would have to do to setup Setup No SSL v3 manually. FineBuild does all of this work for you automatically.

  1. Open the Registry Editor by Start -> Run and type regedit

    Regedit Command

  2. Navigate to HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client.

    If the registry key does not exist then create it.

    Path for Client

  3. Set the value of the DWORD item Enabled to 0 (zero).

    If it does not exist then create it

    Disable

  4. Navigate to HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server.

    If the registry key does not exist then create it.

    Path for Server

  5. Set the value of the DWORD item Enabled to 0 (zero).

    If it does not exist then create it

    Disable

Copyright FineBuild Team © 2016 - 2018. License and Acknowledgements

Previous Setup TLS 1.2 Top Setup Group Membership Next