It states that it is the same for IIS 7 on 2K8, but when I looked in the registry I only saw the Key for SSL 2.0 and no other versions, then expanding that key there is a client subkey but no server subkey. So I created the server subkey and added the Enabled
DWORD with a value of 000000 (aka 0) like the kb article states, rebooted, and SSL V2 is still working. Anyone have ideas?
You have to create it like the article says and reboot. Here is what mine look like locally on my IIS 7 box.
Disclaimer :) The normal legal stuff, 1) Backup the registry, 2) test on a non-production box. I hold no responsibility for deploying this in your environment. :
We are also having trouble getting this to work with Server 2008 R2, although the registry keys exist in the same pattern it continues to make SSL2 available.
I assume your refrences to DWORD in your advice is for 32bit machines. Would I be correct that people with 64bit machines should be setting QWORD to zero?
Hi Pawel, thanks for the excellent instructions. Is "Triple DES 168/168" considered strong? Can I just use the RC2 and RC4 ciphers or will I have issues?
The Triple DES in not new on the market and is weaker than the AES and three time slower. Many security systems use both Triple DES and AES to make it more secure. AES is the default algorithm on most systems now. Triple
DES will be kept around for compatibility reasons. In terms of RC2 and RC4 ciphers, The
RC4 cipher is highly vulnerable only to a Bit-flipping attack if not implemented correctly. "The attack is especially dangerous when the attacker knows the format of the
message. In such a situation, the attacker can turn it into a similar message but one in which some important information is altered. For example, a change in the destination address might alter the message route in a way that will force re-encryption with
a weaker cipher, thus possibly making it easier for an attacker to decipher the message" - wikipedia
I just added a new key of 'Server' with a DWORD 32 bit value of "DiabledByDefault" and the hex 'value data' of 1, rebooted and SSLv2 was gone.
It will sit right under:
the HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 2.0\Client\DisabledByDefault=1 which is already present.
Here is an example scan before and after the one change:
In my case, I found that the other keys had no function. I tested the SSL enumeration prior to adding the key's in the above solution, and afterwards, and the enumeration was identical. I susbequently removed all the extra keys, then added the disabled by
default' key, and that left all the other protocols as before, except sslv2.0 was now missing. (As desired)
So in the case of:
Windows Server 2008 64 bit R2, i would say the only item needed to disable sslv2.0 is:
Description: SSL server uses only SSLv2 protocol Severity: Critical Problem Impact: A remote attacker with the ability to sniff network traffic could decrypt an encrypted session. Background:
Secure Sockets Layer (SSL) is an encryption protocol used to ensure confidentiality as information travels across the Internet. It is commonly used between web browsers and web servers to protect sensitive data such as passwords and credit card numbers. At
the beginning of an SSL session, the client and server negotiate the encryption algorithm, known as a cipher. The chosen cipher is generally the strongest one which is supported by both the client and the server. Resolution For Apache mod_ssl web servers,
use the [http://httpd.apache.org/docs/2.0/mod/mo d_ssl.html#sslciphersuite]
SSLCipherSuite directive in the configuration file to specify strong ciphers only and disable SSLv2. For Microsoft IIS web servers, disable SSLv2 and any weak ciphers as described in
Microsoft knowledge base articles [http://support.microsoft.com/kb/187498 ] 187498 and [http://support.microsoft.com/kb/245030 ] 245030. For other types of web servers, consult the web server documentation. Vulnerability Details: Service: https Client response
to SSLv3 request: \x16\x03\x00\x09?\x02\x00\x00F\x03\x00N\x f4\xba\x163\xc3\xa8\xdbP\x08\xdfo\xe1\x95\ 2
</div> </div> </div> </div>
Chris Danks
Cyber Host Pro LTD
http://www.cyberhostpro.com
I just added a new key of 'Server' with a DWORD 32 bit value of "DiabledByDefault" and the hex 'value data' of 1, rebooted and SSLv2 was gone.
It will sit right under:
the HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 2.0\Client\DisabledByDefault=1 which is already present.
Here is an example scan before and after the one change:
Testing SSLv3 Ciphers...
DES-CBC3-SHA -- 168 bits, High Encryption
RC4-SHA -- 128 bits, Medium Encryption
RC4-MD5 -- 128 bits, Medium Encryption
Testing TLSv1 Ciphers...
AES256-SHA -- 256 bits, High Encryption
DES-CBC3-SHA -- 168 bits, High Encryption
AES128-SHA -- 128 bits, High Encryption
RC4-SHA -- 128 bits, Medium Encryption
RC4-MD5 -- 128 bits, Medium Encryption
commandme :
Hi bdmeyer,
I'm a bit new to SSL security and I was wondering what application or utility you used for running the scan testing the encryption levels (using command line "commandme : ./cnark.pl -h some.fqdn.what.ever -p 443").
Clearly this is not the case as all these other people have probably like me spent hours of time fiddling with reg keys trying to disable it due to a failure against a compliancy test.
Why MS cannot simply tell us clearly what needs to be done is beyond me but it certainly is not disabled by default otherwise all these brand new deployments would have had to have it enabled first. How do you enable it? That might also be useful information.
By default you would find only SSL 2.0 under protocols:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
"DisabledByDefault"=dword:00000001
If you want to disable it for the server node one then you can either use the above KB (not sure if it would run on Windows Server 2008 R2) or create one or modify the above node.
So it would look like this. This would disable the SSL v2.0 for the all the server components.
Hello .. can anyone help with regards to Disabling SSL 2.0
I am also using Reg file and editing the Registry through Reg File and disabling SSL. But it is only editing the Registry values. When i check if from Tools---Internet Options --- Advance Setting.. I can still see that SSL 2.0 is not disabled.
I am trying this on Windows 7... where am i going wrong. Below is my code. plz help.
2 Posts
Disable SSL v2 in IIS7?
Sep 18, 2008 01:20 AM|firestormo|LINK
I saw and read http://support.microsoft.com/kb/187498
It states that it is the same for IIS 7 on 2K8, but when I looked in the registry I only saw the Key for SSL 2.0 and no other versions, then expanding that key there is a client subkey but no server subkey. So I created the server subkey and added the Enabled DWORD with a value of 000000 (aka 0) like the kb article states, rebooted, and SSL V2 is still working. Anyone have ideas?
Thanks in advance
5619 Posts
Re: Disable SSL v2 in IIS7?
Sep 18, 2008 02:16 PM|steve schofield|LINK
You have to create it like the article says and reboot. Here is what mine look like locally on my IIS 7 box.
Disclaimer :) The normal legal stuff, 1) Backup the registry, 2) test on a non-production box. I hold no responsibility for deploying this in your environment. :
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\PCT 1.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\PCT 1.0\Server]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000
Steve Schofield
Windows Server MVP - IIS
http://iislogs.com/steveschofield
http://www.IISLogs.com
Log archival solution
Install, Configure, Forget
1 Post
Re: Disable SSL v2 in IIS7?
Aug 02, 2009 12:57 AM|blackopal|LINK
Sorry, but, that does not appear to work for windows 2008. (it works for Windows 2003)
1 Post
Re: Disable SSL v2 in IIS7?
Sep 29, 2009 08:48 AM|TWarring|LINK
We are also having trouble getting this to work with Server 2008 R2, although the registry keys exist in the same pattern it continues to make SSL2 available.
This is a significant PCI issue of course...
5619 Posts
Re: Disable SSL v2 in IIS7?
Sep 30, 2009 09:44 PM|steve schofield|LINK
http://support.microsoft.com/?id=187498
Did you try this?
Steve Schofield
Windows Server MVP - IIS
http://iislogs.com/steveschofield
http://www.IISLogs.com
Log archival solution
Install, Configure, Forget
2 Posts
Re: Disable SSL v2 in IIS7?
Oct 26, 2009 05:12 PM|CQout|LINK
I assume your refrences to DWORD in your advice is for 32bit machines. Would I be correct that people with 64bit machines should be setting QWORD to zero?
7 Posts
Re: Disable SSL v2 in IIS7?
Nov 19, 2009 02:26 PM|Pawel Dolny|LINK
I had the same or let say very similar problem under Windows 2008 x64 and Windows 2008 R2
I was trying to disable SSL 2.0 and in the same time enable SSL 3.0 and TLS 1.0.
I did try to just disable SSL 2.0 but with no luck what so ever.
Below instructions how I've done it:
(MAKE SURE THAT YOU BACKUP YOUR REGISTRY BEFORE APPLYING THOSE CHANGES)
• Using regedit to add the following keys ( right click on protocols -> new -> key -> "SSL 2.0" then "SSL 3.0" then "TLS 1.0" )
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0
• Under each of the keys above you need to create additional keys "Client" and "Server"
For SSL 2.0:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server
For SSL 3.0:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server
For TLS 1.0:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server
• Then you will have to create DWORD (32bit) value called "Enabled" under each "Client" and "Server" key for "SSL 2.0, SSL 3.0 and TLS 1.0"
DWORD (32bit) Value
Value name = Enabled
Value date = 0
Value date can be set to "1" - Enabled or "0" – Disabled
In my scenario the values were "enabled" (set to 1) for SSL 3.0 and TLS 1.0 and "disabled" (set to 0) for SSL 2.0
• Next step is to add correct Ciphers, to do so you will have to navigate to the following key in the registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers
• (right click on "Cliphers" New -> Key)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168
• That's all! Now you need to restart your server to apply those changes.
• If you are using TMG 2010 or ISA 2006 to publish the website externally you will need to apply exactly the same settings to registry to it.
Please accept my apologies for my English, but I hope I've managed to help you guys.
2 Posts
Re: Disable SSL v2 in IIS7?
Nov 23, 2009 11:07 AM|CQout|LINK
Thanks Pawel, I can report I have tried this on our server and your solution works. Thank you.
7 Posts
Re: Disable SSL v2 in IIS7?
Nov 25, 2009 07:46 PM|Pawel Dolny|LINK
That's superb! Thanks for leting me know.
Kind Regards
Pawel Dolny
1 Post
Re: Disable SSL v2 in IIS7?
Jan 13, 2010 10:20 AM|chrismarts|LINK
Is there an alternative to restarting the server? Can IIS just be reycled? Or some other service(s)?
7 Posts
Re: Disable SSL v2 in IIS7?
Jan 13, 2010 10:31 AM|Pawel Dolny|LINK
You can try "iisreset" from the command line but I'm not sure if that's all you have to do.
Regards
Pawel Dolny
1 Post
Re: Disable SSL v2 in IIS7?
Mar 02, 2010 03:38 PM|Soylent|LINK
Hi Pawel, thanks for the excellent instructions. Is "Triple DES 168/168" considered strong? Can I just use the RC2 and RC4 ciphers or will I have issues?
Thanks!
7 Posts
Re: Disable SSL v2 in IIS7?
Mar 04, 2010 10:24 AM|Pawel Dolny|LINK
With the above you will be ok for PCI compliance
I hope that helps, Thanks Pawel7 Posts
Re: Disable SSL v2 in IIS7?
Mar 04, 2010 10:26 AM|Pawel Dolny|LINK
I've never tried to use RC2 or RC4 only
Pawel
5 Posts
Re: Disable SSL v2 in IIS7?
May 19, 2010 08:37 AM|theboywonder|LINK
Thanks Pawel. Your complete solution in batch form, I believe (hope this makes someone's job easier):
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 2.0\Server" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 2.0\Client" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 3.0\Server" /v Enabled /t REG_DWORD /d 1 /f
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 3.0\Client" /v Enabled /t REG_DWORD /d 1 /f
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\TLS 1.0\Server" /v Enabled /t REG_DWORD /d 1 /f
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\TLS 1.0\Client" /v Enabled /t REG_DWORD /d 1 /f
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Ciphers\RC2 128/128"
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Ciphers\RC4 128/128"
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Ciphers\Triple DES 168/168"
7 Posts
Re: Disable SSL v2 in IIS7?
May 19, 2010 08:53 AM|Pawel Dolny|LINK
Many Thanks Theboywonder!
That will speed up the process. :-)
6 Posts
Re: Disable SSL v2 in IIS7?
Jun 18, 2010 04:49 AM|asmidir|LINK
Hi,
Can't you just disable the sslv2.0 using:
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 2.0\Server" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 2.0\Client" /v Enabled /t REG_DWORD /d 0 /f
Only? (as per: http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/1cf01f33-9cbe-4b76-b01c-83923c4cda04 )?
Thanks
1 Post
Re: Disable SSL v2 in IIS7?
Jul 20, 2010 10:53 AM|ianbrogden|LINK
Unfortunately, no.
See this article:
http://blogs.msdn.com/b/amol/archive/2010/04/27/how-to-disable-ssl-2-0-in-internet-information-services-7.aspx
SSL
5 Posts
Re: Disable SSL v2 in IIS7?
Feb 01, 2011 09:58 AM|bdmeyer|LINK
I found on my Windows 2008 R2 64 bit server with IIS 7, under:
HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 2.0\
I just added a new key of 'Server' with a DWORD 32 bit value of "DiabledByDefault" and the hex 'value data' of 1, rebooted and SSLv2 was gone.
It will sit right under:
the HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 2.0\Client\DisabledByDefault=1 which is already present.
Here is an example scan before and after the one change:
(before:)
commandme : ./cnark.pl -h some.fqdn.what.ever -p 443
SSL Certificate Information...
Certificate Commmon Name: some.fqdn.what.ever
Testing SSLv2 Ciphers...
DES-CBC3-MD5 -- 168 bits, High Encryption
RC4-MD5 -- 128 bits, Medium Encryption
Testing SSLv3 Ciphers...
DES-CBC3-SHA -- 168 bits, High Encryption
RC4-SHA -- 128 bits, Medium Encryption
RC4-MD5 -- 128 bits, Medium Encryption
Testing TLSv1 Ciphers...
AES256-SHA -- 256 bits, High Encryption
DES-CBC3-SHA -- 168 bits, High Encryption
AES128-SHA -- 128 bits, High Encryption
RC4-SHA -- 128 bits, Medium Encryption
RC4-MD5 -- 128 bits, Medium Encryption
(after:)
commandme : ./cnark.pl -h some.fqdn.what.ever -p 443
SSL Certificate Information...
Certificate Commmon Name: some.fqdn.what.ever
Testing SSLv2 Ciphers...
Testing SSLv3 Ciphers...
DES-CBC3-SHA -- 168 bits, High Encryption
RC4-SHA -- 128 bits, Medium Encryption
RC4-MD5 -- 128 bits, Medium Encryption
Testing TLSv1 Ciphers...
AES256-SHA -- 256 bits, High Encryption
DES-CBC3-SHA -- 168 bits, High Encryption
AES128-SHA -- 128 bits, High Encryption
RC4-SHA -- 128 bits, Medium Encryption
RC4-MD5 -- 128 bits, Medium Encryption
commandme :
disable sslv2 IIS7 ssl
5 Posts
Re: Disable SSL v2 in IIS7?
Feb 03, 2011 04:38 AM|theboywonder|LINK
Do you mean this?
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 2.0\Server" /v DisabledByDefault /t REG_DWORD /d 1 /f
If so perhaps that can be added to the above for a more *complete* solution?
5 Posts
Re: Disable SSL v2 in IIS7?
Feb 04, 2011 08:51 AM|bdmeyer|LINK
In my case, I found that the other keys had no function. I tested the SSL enumeration prior to adding the key's in the above solution, and afterwards, and the enumeration was identical. I susbequently removed all the extra keys, then added the disabled by default' key, and that left all the other protocols as before, except sslv2.0 was now missing. (As desired)
So in the case of:
Windows Server 2008 64 bit R2, i would say the only item needed to disable sslv2.0 is:
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 2.0\Server" /v DisabledByDefault /t REG_DWORD /d 1 /f
Perhap's the other keys are needed for other versions of WIndows Server 200x. But no in 2008 64 bit R2.
24 Posts
Re: Disable SSL v2 in IIS7?
Dec 23, 2011 04:22 PM|CyberHostPro-LTD|LINK
Hi
we are trying to make a server PCI complaint however it is failing with the below error stating to disable v2 SSL we tried
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 2.0\Server" /v DisabledByDefault /t REG_DWORD /d 1 /f
and rebooted the server, but this did not help. Its windows 2008 R2 DC Edition Hyper-V Virtual Server.
<div class="section" style="background-color: rgb(100.000000%, 100.000000%, 100.000000%)"> <div class="section"> </div> <div class="section"> <div class="layoutArea"> <div class="column">
Description: SSL server uses only SSLv2 protocol Severity: Critical Problem Impact: A remote attacker with the ability to sniff network traffic could decrypt an encrypted session. Background: Secure Sockets Layer (SSL) is an encryption protocol used to ensure confidentiality as information travels across the Internet. It is commonly used between web browsers and web servers to protect sensitive data such as passwords and credit card numbers. At the beginning of an SSL session, the client and server negotiate the encryption algorithm, known as a cipher. The chosen cipher is generally the strongest one which is supported by both the client and the server. Resolution For Apache mod_ssl web servers, use the [http://httpd.apache.org/docs/2.0/mod/mo d_ssl.html#sslciphersuite] SSLCipherSuite directive in the configuration file to specify strong ciphers only and disable SSLv2. For Microsoft IIS web servers, disable SSLv2 and any weak ciphers as described in Microsoft knowledge base articles [http://support.microsoft.com/kb/187498 ] 187498 and [http://support.microsoft.com/kb/245030 ] 245030. For other types of web servers, consult the web server documentation. Vulnerability Details: Service: https Client response to SSLv3 request: \x16\x03\x00\x09?\x02\x00\x00F\x03\x00N\x f4\xba\x163\xc3\xa8\xdbP\x08\xdfo\xe1\x95\ 2
</div> </div> </div> </div>Cyber Host Pro LTD
http://www.cyberhostpro.com
84 Posts
Re: Disable SSL v2 in IIS7?
Jan 05, 2012 05:41 PM|kaushilz|LINK
SSLv2 is disabled by default on Windows Server 2008 R2.
You don't need to add any registry keys as such.
Unless someone has already enabled it, you can add the keyword enabled and set that to 0.
Regards,
Kaushal
Kaushal
http://blogs.msdn.com/kaushal
1 Post
Re: Disable SSL v2 in IIS7?
May 22, 2012 11:57 AM|Marco_C|LINK
Hi bdmeyer,
I'm a bit new to SSL security and I was wondering what application or utility you used for running the scan testing the encryption levels (using command line "commandme : ./cnark.pl -h some.fqdn.what.ever -p 443").
Many Thanks,
Marco
1 Post
Re: Disable SSL v2 in IIS7?
Oct 31, 2012 08:00 AM|opensvr|LINK
Clearly this is not the case as all these other people have probably like me spent hours of time fiddling with reg keys trying to disable it due to a failure against a compliancy test.
Why MS cannot simply tell us clearly what needs to be done is beyond me but it certainly is not disabled by default otherwise all these brand new deployments would have had to have it enabled first. How do you enable it? That might also be useful information.
84 Posts
Re: Disable SSL v2 in IIS7?
Nov 15, 2012 01:35 AM|kaushilz|LINK
This information is readily available. All you need to do is search.
This KB article suggests on how to do so.
http://support.microsoft.com/kb/187498
NOTE: 3rd party products don't use the MS implementation of Crypto API's and SSL libraries and have their own custom implementation.
The above KB provides a tool which disables the speciifc protocol version. All it does is add a registry key under
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
By default you would find only SSL 2.0 under protocols:
If you want to disable it for the server node one then you can either use the above KB (not sure if it would run on Windows Server 2008 R2) or create one or modify the above node.
So it would look like this. This would disable the SSL v2.0 for the all the server components.
Kaushal
http://blogs.msdn.com/kaushal
7 Posts
Re: Disable SSL v2 in IIS7?
Nov 15, 2012 04:36 AM|Pawel Dolny|LINK
Try to use this, very useful!
https://www.nartac.com/Products/IISCrypto/Default.aspx
1 Post
Re: Disable SSL v2 in IIS7?
Dec 05, 2013 01:02 AM|pccenter_matunga|LINK
Hello .. can anyone help with regards to Disabling SSL 2.0
I am also using Reg file and editing the Registry through Reg File and disabling SSL. But it is only editing the Registry values. When i check if from Tools---Internet Options --- Advance Setting.. I can still see that SSL 2.0 is not disabled.
I am trying this on Windows 7... where am i going wrong. Below is my code. plz help.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client] "DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client] "Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server] "DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server] "Enabled"=dword:00000000