IIS7 – Disable SSL 2.0 Enable TLS and SSL 3.0

KB ID 0000280 Dtd 15/06/10

Problem

One of my colleagues, rolled out an SBS 2008 domain the other week. The client then had an independent security review, which recommended they disable SSL 2.0 on their Windows 2008 Server. Queue lots of head scratching and shoulder shrugging.

After trawling a few forums we pieced together a working registry fix.

Solution

1. On your server apply the following registry fix. (or download it here).

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSchannel]
"EventLogging"=dword:00000001
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSchannelCiphers]
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSchannelCiphersRC2 128]
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSchannelCiphersRC2 128128]
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSchannelCiphersRC4 128]
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSchannelCiphersRC4 128128]
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSchannelCiphersTriple DES 168]
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSchannelCiphersTriple DES 168168]
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSchannelCipherSuites]
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSchannelHashes]
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSchannelKeyExchangeAlgorithms]
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSchannelProtocols]
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSchannelProtocolsSSL 2.0]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSchannelProtocolsSSL 2.0Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSchannelProtocolsSSL 2.0Server]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSchannelProtocolsSSL 3.0]
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSchannelProtocolsSSL 3.0Client]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSchannelProtocolsSSL 3.0Server]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSchannelProtocolsTLS 1.0]
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSchannelProtocolsTLS 1.0Client]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSchannelProtocolsTLS 1.0Server]
"Enabled"=dword:00000001

2. Then reboot the server in question.

Related Articles, References, Credits, or External Links

NA

Author: Migrated

Share This Post On