Home > Forefront TMG 2010, Security Updates, Unified Access Gateway, Forefront UAG 2010, Threat Management Gateway, Security > Mitigating the POODLE SSL 3 Vulnerability on Forefront TMG 2010

Mitigating the POODLE SSL 3 Vulnerability on Forefront TMG 2010

October 21, 2014

Recently a new and very serious vulnerability in the SSL 3.0 protocol has been discovered that allows an attacker to recover sensitive information for an encrypted session. The Qualys SSL Labs server test has been updated to identify and warn about this issue.

Mitigating the POODLE SSL 3.0 Vulnerability on Forefront TMG 2010

Figure 1 – Qualys SSL Labs Server Test Score for TMG Published Secure Web Site

On a Forefront TMG server with SSL hardening implemented as I’ve outlined here and here, the POODLE attack is mitigated, but it is still recommended that you disable SSL 3.0 altogether. SSL 3.0 is an old, outdated protocol that is no longer widely used, and disabling it should have minimal impact on clients connecting to secure web sites published by the Forefront TMG 2010 firewall.

To disable SSL 3.0 on the TMG firewall, open an elevated PowerShell window and execute the following commands:

New-Item -Path “HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server” -Force

New-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server” -PropertyType dword -Value 0 -Name Enabled

Note: Use caution when copying/pasting the above commands as wrapping of the text has occurred.

A restart of the server is required for the change to take effect.

  1. October 22, 2014 at 11:38 pm

    Excellent article Richard 🙂

    However I believe whole server has to be restarted than JUST TMG Services.

  2. October 23, 2014 at 2:26 am

    Good Article Richard 🙂

    Also as its a Windows level change I believe whole machine has to be restarted than JUST TMG Services.

  3. October 23, 2014 at 10:11 am

    Absolutely. That’s what I meant, but I can see how my original wording made it seem like I was suggesting that only the TMG firewall “service” needed to be restarted. Yes, the server itself needs to be completely restarted for this change to take effect. I’ve updated the wording in the post for clarification. Thanks for bringing that to my attention!

  4. Jason
    November 18, 2014 at 3:59 pm

    Any thoughts on getting to 100 on all fields? Currently I’m at 100,100,90,90. TMG has all but TLS1.2 enabled, I seem to be losing out to cipher strength (128’s rather than 256, ECDH is pushing at <4096 effective), and downgrade attack prevention.

  5. December 3, 2014 at 5:23 am

    I don’t have any. I’m satisfied with an “A”. 🙂 If you do get a perfect score, please let us know how you did it!

  6. Mark Haddon
    January 13, 2015 at 3:27 am
  7. January 14, 2015 at 5:25 am

    Most interesting! 🙂

  8. Patrick
    January 21, 2015 at 6:11 pm

    Error with second command: A parameter cannot be found that matches parameter name ‘PropertyType’. I was able to set it in regedit once the SSL 3.0 Protocol was named, however.

  9. January 21, 2015 at 7:42 pm

    My PowerShell code may not be perfect. 😉 It certainly doesn’t contain any error checking, and also doesn’t behave well if those keys already exist. Glad you got it figured out though. 🙂

  10. Patrick
    January 22, 2015 at 7:03 am

    I’m certainly not complaining: you got me on the right track and I appreciate it. Setting the Enable to false inside regedit worked fine after the first step. Thanks for your post!

  11. Lee
    March 11, 2015 at 1:45 am

    Hi Richard, I’ve used the IIS Crypto tool to implement the necessary registry changes to secure my instance of TMG. My latest Qualsys scan states the following;

    This server is vulnerable to the POODLE attack against TLS servers. Patching required. Grade set to F. MORE INFO »

    But according to the following article that states that schannel isn’t affected by CVE-2014-8730, I’m confused :S

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/0f854cf2-9028-4788-bf0f-655f0115cc7d/schannel-and-tls-1x-padding-vulnerability-cve20148730?forum=winserversecurity

  12. March 12, 2015 at 11:41 am

    It might be a false positive. Did you also disable support for RC4 cipher suites?

  13. April 30, 2015 at 8:28 am

    Have you noticed any difference between the registry setting of Enabled=0 or the registry setting DisabledByDefault=1? Do both work equally the same?

  14. May 2, 2015 at 8:20 am

    I have not. I would expect they would exhibit the same behavior, but I could be wrong. Testing should confirm that.

  15. October 27, 2015 at 10:58 pm

    I post my question here, because I dont where else to post it.
    Even after disabling SSL v2 + v3, enabling TLS 1.1 + 1.2 AND using your recommended list of SSL and TLS cipher suites I get a rating F on the site. The reason is a Poodle attack against TLS:

    “This server is vulnerable to the POODLE attack against TLS servers. Patching required. Grade set to F.”

    Im not sure what I can do to change that… Do you have any advises?

  1. October 25, 2014 at 11:57 am
  2. October 25, 2014 at 11:59 am
  3. October 25, 2014 at 12:00 pm
  4. October 28, 2014 at 2:16 pm
Comments are closed.