IIS 7 & IIS 8
Disable SSL v2 in IIS7?
Last post Nov 15, 2012 08:36 AM by Pawel Dolny
Sep 18, 2008 05:20 AM|LINK
I saw and read http://support.microsoft.com/kb/187498
It states that it is the same for IIS 7 on 2K8, but when I looked in the registry I only saw the Key for SSL 2.0 and no other versions, then expanding that key there is a client subkey but no server subkey. So I created the server subkey and added the Enabled
DWORD with a value of 000000 (aka 0) like the kb article states, rebooted, and SSL V2 is still working. Anyone have ideas?
Thanks in advance
Sep 18, 2008 06:16 PM|LINK
You have to create it like the article says and reboot. Here is what mine look like locally on my IIS 7 box.
Disclaimer :) The normal legal stuff, 1) Backup the registry, 2) test on a non-production box. I hold no responsibility for deploying this in your environment. :
Windows Registry Editor Version 5.00
Windows Server MVP - IIS
Log archival solution
Install, Configure, Forget
Aug 02, 2009 04:57 AM|LINK
Sorry, but, that does not appear to work for windows 2008. (it works for Windows 2003)
Sep 29, 2009 12:48 PM|LINK
We are also having trouble getting this to work with Server 2008 R2, although the registry keys exist in the same pattern it continues to make SSL2 available.
This is a significant PCI issue of course...
Oct 01, 2009 01:44 AM|LINK
Did you try this?
Oct 26, 2009 09:12 PM|LINK
I assume your refrences to DWORD in your advice is for 32bit machines. Would I be correct that people with 64bit machines should be setting QWORD to zero?
Nov 19, 2009 06:26 PM|LINK
I had the same or let say very similar problem under Windows 2008 x64 and Windows 2008 R2
I was trying to disable SSL 2.0 and in the same time enable SSL 3.0 and TLS 1.0.
I did try to just disable SSL 2.0 but with no luck what so ever.
Below instructions how I've done it:
(MAKE SURE THAT YOU BACKUP YOUR REGISTRY BEFORE APPLYING THOSE CHANGES)
• Using regedit to add the following keys ( right click on protocols -> new -> key -> "SSL 2.0" then "SSL 3.0" then "TLS 1.0" )
• Under each of the keys above you need to create additional keys "Client" and "Server"
For SSL 2.0:
For SSL 3.0:
For TLS 1.0:
• Then you will have to create DWORD (32bit) value called "Enabled" under each "Client" and "Server" key for "SSL 2.0, SSL 3.0 and TLS 1.0"
DWORD (32bit) Value
Value name = Enabled
Value date = 0
Value date can be set to "1" - Enabled or "0" – Disabled
In my scenario the values were "enabled" (set to 1) for SSL 3.0 and TLS 1.0 and "disabled" (set to 0) for SSL 2.0
• Next step is to add correct Ciphers, to do so you will have to navigate to the following key in the registry
• (right click on "Cliphers" New -> Key)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168
• That's all! Now you need to restart your server to apply those changes.
• If you are using TMG 2010 or ISA 2006 to publish the website externally you will need to apply exactly the same settings to registry to it.
Please accept my apologies for my English, but I hope I've managed to help you guys.
Nov 23, 2009 03:07 PM|LINK
Thanks Pawel, I can report I have tried this on our server and your solution works. Thank you.
Nov 25, 2009 11:46 PM|LINK
That's superb! Thanks for leting me know.
Jan 13, 2010 02:20 PM|LINK
Is there an alternative to restarting the server? Can IIS just be reycled? Or some other service(s)?