Disable SSL v2 in IIS7? [Answered]RSS

27 replies

Last post Dec 05, 2013 01:02 AM by pccenter_matunga

  • Disable SSL v2 in IIS7?

    Sep 18, 2008 01:20 AM|firestormo|LINK

    I saw and read http://support.microsoft.com/kb/187498

     It states that it is the same for IIS 7 on 2K8, but when I looked in the registry I only saw the Key for SSL 2.0 and no other versions, then expanding that key there is a client subkey but no server subkey. So I created the server subkey and added the Enabled DWORD with a value of 000000 (aka 0) like the kb article states, rebooted, and SSL V2 is still working. Anyone have ideas?

     Thanks in advance

  • Re: Disable SSL v2 in IIS7?

    Sep 18, 2008 02:16 PM|steve schofield|LINK

    You have to create it like the article says and reboot.    Here is what mine look like locally on my IIS 7 box. 

    Disclaimer :) The normal legal stuff, 1) Backup the registry, 2) test on a non-production box.  I hold no responsibility for deploying this in your environment. :

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\PCT 1.0]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\PCT 1.0\Server]
    "Enabled"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Client]
    "DisabledByDefault"=dword:00000000
    "Enabled"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Server]
    "Enabled"=dword:00000000

     

    Steve Schofield
    Windows Server MVP - IIS
    http://iislogs.com/steveschofield
    http://www.IISLogs.com
    Log archival solution
    Install, Configure, Forget

  • Re: Disable SSL v2 in IIS7?

    Aug 02, 2009 12:57 AM|blackopal|LINK

    Sorry, but, that does not appear to work for windows 2008. (it works for Windows 2003)

     

  • Re: Disable SSL v2 in IIS7?

    Sep 29, 2009 08:48 AM|TWarring|LINK

    We are also having trouble getting this to work with Server 2008 R2, although the registry keys exist in the same pattern it continues to make SSL2 available.

     This is a significant PCI issue of course...

  • Re: Disable SSL v2 in IIS7?

    Sep 30, 2009 09:44 PM|steve schofield|LINK

    Steve Schofield
    Windows Server MVP - IIS
    http://iislogs.com/steveschofield
    http://www.IISLogs.com
    Log archival solution
    Install, Configure, Forget

  • Re: Disable SSL v2 in IIS7?

    Oct 26, 2009 05:12 PM|CQout|LINK

    I assume your refrences to DWORD in your advice is for 32bit machines. Would I be correct that people with 64bit machines should be setting QWORD to zero?

  • Re: Disable SSL v2 in IIS7?

    Nov 19, 2009 02:26 PM|Pawel Dolny|LINK

    I had the same or let say very similar problem under Windows 2008 x64 and Windows 2008 R2
     
    I was trying to disable SSL 2.0 and in the same time enable SSL 3.0 and TLS 1.0.
     
    I did try to just disable SSL 2.0 but with no luck what so ever.
     
    Below instructions how I've done it:
     
    (MAKE SURE THAT YOU BACKUP YOUR REGISTRY BEFORE APPLYING THOSE CHANGES)
     
    • Using regedit to add the following keys ( right click on protocols -> new -> key -> "SSL 2.0"  then  "SSL 3.0" then "TLS 1.0" )
     
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0
     
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0
     
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0
     
    • Under each of the keys above you need to create additional keys "Client" and "Server"
     
    For SSL 2.0: 
     
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client
     
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server
     
    For SSL 3.0: 
     
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client
     
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server
     
    For TLS 1.0: 
     
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client
     
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server
     
    • Then you will have to create DWORD (32bit) value called "Enabled" under each "Client" and "Server" key for "SSL 2.0, SSL 3.0 and TLS 1.0"
     
    DWORD (32bit) Value
     
    Value name = Enabled
     
    Value date = 0
     
    Value date can be set to "1" - Enabled or "0" – Disabled
     
    In my scenario the values were "enabled" (set to 1) for SSL 3.0 and TLS 1.0 and "disabled" (set to 0) for SSL 2.0
     
    • Next step is to add correct Ciphers, to do so you will have to navigate to the following key in the registry
     
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers
     
    • (right click on "Cliphers" New -> Key)
     
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128
     
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128
     
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168
     
    • That's all! Now you need to restart your server to apply those changes.
     
    • If you are using TMG 2010 or ISA 2006 to publish the website externally you will need to apply exactly the same settings to registry to it.
     

    Please accept my apologies for my English, but I hope I've managed to help you guys.

  • Re: Disable SSL v2 in IIS7?

    Nov 23, 2009 11:07 AM|CQout|LINK

    Thanks Pawel, I can report I have tried this on our server and your solution works. Thank you.

  • Re: Disable SSL v2 in IIS7?

    Nov 25, 2009 07:46 PM|Pawel Dolny|LINK

    That's superb! Thanks for leting me know.

    Kind Regards

    Pawel Dolny

  • Re: Disable SSL v2 in IIS7?

    Jan 13, 2010 10:20 AM|chrismarts|LINK

    Is there an alternative to restarting the server? Can IIS just be reycled? Or some other service(s)?

  • Re: Disable SSL v2 in IIS7?

    Jan 13, 2010 10:31 AM|Pawel Dolny|LINK

    You can try "iisreset" from the command line but I'm not sure if that's all you have to do.

    Regards

    Pawel Dolny

  • Re: Disable SSL v2 in IIS7?

    Mar 02, 2010 03:38 PM|Soylent|LINK

    Hi Pawel, thanks for the excellent instructions. Is "Triple DES 168/168" considered strong? Can I just use the RC2 and RC4 ciphers or will I have issues?

     

    Thanks!

  • Re: Disable SSL v2 in IIS7?

    Mar 04, 2010 10:24 AM|Pawel Dolny|LINK

    The Triple DES in not new on the market and is weaker than the AES and three time slower. Many security systems use both Triple DES and AES to make it more secure. AES is the default algorithm on most systems now. Triple DES will be kept around for compatibility reasons. In terms of RC2 and RC4 ciphers, The RC4 cipher is highly vulnerable only to a Bit-flipping attack if not implemented correctly. "The attack is especially dangerous when the attacker knows the format of the message. In such a situation, the attacker can turn it into a similar message but one in which some important information is altered. For example, a change in the destination address might alter the message route in a way that will force re-encryption with a weaker cipher, thus possibly making it easier for an attacker to decipher the message" - wikipedia 

    With the above you will be ok for PCI compliance

     

    I hope that helps, Thanks Pawel

     

  • Re: Disable SSL v2 in IIS7?

    Mar 04, 2010 10:26 AM|Pawel Dolny|LINK

    I've never tried to use RC2 or RC4 only

    Pawel

  • Re: Disable SSL v2 in IIS7?

    May 19, 2010 08:37 AM|theboywonder|LINK

    Thanks Pawel. Your complete solution in batch form, I believe (hope this makes someone's job easier):

    REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 2.0\Server" /v Enabled /t REG_DWORD /d 0 /f
    REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 2.0\Client" /v Enabled /t REG_DWORD /d 0 /f
    REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 3.0\Server" /v Enabled /t REG_DWORD /d 1 /f
    REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 3.0\Client" /v Enabled /t REG_DWORD /d 1 /f
    REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\TLS 1.0\Server" /v Enabled /t REG_DWORD /d 1 /f
    REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\TLS 1.0\Client" /v Enabled /t REG_DWORD /d 1 /f
    REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Ciphers\RC2 128/128"
    REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Ciphers\RC4 128/128"
    REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Ciphers\Triple DES 168/168"


  • Re: Disable SSL v2 in IIS7?

    May 19, 2010 08:53 AM|Pawel Dolny|LINK

    Many Thanks Theboywonder!

    That will speed up the process. :-)

     

  • Re: Disable SSL v2 in IIS7?

    Jun 18, 2010 04:49 AM|asmidir|LINK

    Hi,

    Can't you just disable the sslv2.0 using:

    REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 2.0\Server" /v Enabled /t REG_DWORD /d 0 /f
    REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 2.0\Client" /v Enabled /t REG_DWORD /d 0 /f

    Only? (as per: http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/1cf01f33-9cbe-4b76-b01c-83923c4cda04 )?

    Thanks

  • Re: Disable SSL v2 in IIS7?

    Jul 20, 2010 10:53 AM|ianbrogden|LINK

    SSL

  • Re: Disable SSL v2 in IIS7?

    Feb 01, 2011 09:58 AM|bdmeyer|LINK

     I found on my Windows 2008 R2 64 bit server with IIS 7, under:

    HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 2.0\

     

    I just added a new key of 'Server' with a DWORD 32 bit value  of "DiabledByDefault" and the hex 'value data' of 1, rebooted and SSLv2 was gone.

    It will sit right under:
    the HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 2.0\Client\DisabledByDefault=1 which is already present.

     Here is an example scan before and after the one change:

    (before:)

    commandme : ./cnark.pl -h some.fqdn.what.ever -p 443

    SSL Certificate Information...
    Certificate Commmon Name: some.fqdn.what.ever


    Testing SSLv2 Ciphers...
        DES-CBC3-MD5 -- 168 bits, High Encryption
        RC4-MD5 -- 128 bits, Medium Encryption

    Testing SSLv3 Ciphers...
        DES-CBC3-SHA -- 168 bits, High Encryption
        RC4-SHA -- 128 bits, Medium Encryption
        RC4-MD5 -- 128 bits, Medium Encryption

    Testing TLSv1 Ciphers...
        AES256-SHA -- 256 bits, High Encryption
        DES-CBC3-SHA -- 168 bits, High Encryption
        AES128-SHA -- 128 bits, High Encryption
        RC4-SHA -- 128 bits, Medium Encryption
        RC4-MD5 -- 128 bits, Medium Encryption

     

    (after:)
    commandme : ./cnark.pl -h some.fqdn.what.ever -p 443

    SSL Certificate Information...
    Certificate Commmon Name: some.fqdn.what.ever


    Testing SSLv2 Ciphers...

    Testing SSLv3 Ciphers...
        DES-CBC3-SHA -- 168 bits, High Encryption
        RC4-SHA -- 128 bits, Medium Encryption
        RC4-MD5 -- 128 bits, Medium Encryption

    Testing TLSv1 Ciphers...
        AES256-SHA -- 256 bits, High Encryption
        DES-CBC3-SHA -- 168 bits, High Encryption
        AES128-SHA -- 128 bits, High Encryption
        RC4-SHA -- 128 bits, Medium Encryption
        RC4-MD5 -- 128 bits, Medium Encryption
    commandme :


    disable sslv2 IIS7 ssl

  • Re: Disable SSL v2 in IIS7?

    Feb 03, 2011 04:38 AM|theboywonder|LINK

    bdmeyer

     I found on my Windows 2008 R2 64 bit server with IIS 7, under:

    HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 2.0\

    I just added a new key of 'Server' with a DWORD 32 bit value  of "DiabledByDefault" and the hex 'value data' of 1, rebooted and SSLv2 was gone.

     

    Do you mean this?

    REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 2.0\Server" /v DisabledByDefault /t REG_DWORD /d 1 /f

     If so perhaps that can be added to the above for a more *complete* solution?

  • Re: Disable SSL v2 in IIS7?

    Feb 04, 2011 08:51 AM|bdmeyer|LINK

    In my case, I found that the other keys had no function. I tested the SSL enumeration prior to adding the key's in the above solution, and afterwards, and the enumeration was identical. I susbequently removed all the extra keys, then added the disabled by default' key, and that left all the other protocols as before, except sslv2.0 was now missing. (As desired)

     

    So in the case of:

    Windows Server 2008 64 bit R2, i would say the only item needed to disable sslv2.0 is:

    REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 2.0\Server" /v DisabledByDefault /t REG_DWORD /d 1 /f

     

    Perhap's the other keys are needed for other versions of WIndows Server 200x. But no in 2008 64 bit R2.

     

  • Re: Disable SSL v2 in IIS7?

    Dec 23, 2011 04:22 PM|CyberHostPro-LTD|LINK

     Hi

    we are trying to make a server PCI complaint however it is failing with the below error stating to disable v2 SSL we tried

    REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 2.0\Server" /v DisabledByDefault /t REG_DWORD /d 1 /f

    and rebooted the server, but this did not help.  Its windows 2008 R2 DC Edition Hyper-V Virtual Server.

     

    <div class="section" style="background-color: rgb(100.000000%, 100.000000%, 100.000000%)"> <div class="section"> </div> <div class="section"> <div class="layoutArea"> <div class="column">

    Description: SSL server uses only SSLv2 protocol Severity: Critical Problem Impact: A remote attacker with the ability to sniff network traffic could decrypt an encrypted session. Background: Secure Sockets Layer (SSL) is an encryption protocol used to ensure confidentiality as information travels across the Internet. It is commonly used between web browsers and web servers to protect sensitive data such as passwords and credit card numbers. At the beginning of an SSL session, the client and server negotiate the encryption algorithm, known as a cipher. The chosen cipher is generally the strongest one which is supported by both the client and the server. Resolution For Apache mod_ssl web servers, use the [http://httpd.apache.org/docs/2.0/mod/mo d_ssl.html#sslciphersuite] SSLCipherSuite directive in the configuration file to specify strong ciphers only and disable SSLv2. For Microsoft IIS web servers, disable SSLv2 and any weak ciphers as described in Microsoft knowledge base articles [http://support.microsoft.com/kb/187498 ] 187498 and [http://support.microsoft.com/kb/245030 ] 245030. For other types of web servers, consult the web server documentation. Vulnerability Details: Service: https Client response to SSLv3 request: \x16\x03\x00\x09?\x02\x00\x00F\x03\x00N\x f4\xba\x163\xc3\xa8\xdbP\x08\xdfo\xe1\x95\ 2

    </div> </div> </div> </div>

     

    Chris Danks
    Cyber Host Pro LTD
    http://www.cyberhostpro.com
  • Re: Disable SSL v2 in IIS7?

    Jan 05, 2012 05:41 PM|kaushilz|LINK

    SSLv2 is disabled by default on Windows Server 2008 R2.

    You don't need to add any registry keys as such.

    Unless someone has already enabled it, you can add the keyword enabled and set that to 0.

    Regards,

    Kaushal

    Regards,

    Kaushal
    http://blogs.msdn.com/kaushal
  • Re: Disable SSL v2 in IIS7?

    May 22, 2012 11:57 AM|Marco_C|LINK

    bdmeyer

     I found on my Windows 2008 R2 64 bit server with IIS 7, under:

    HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 2.0\

    I just added a new key of 'Server' with a DWORD 32 bit value  of "DiabledByDefault" and the hex 'value data' of 1, rebooted and SSLv2 was gone.

    It will sit right under:
    the HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 2.0\Client\DisabledByDefault=1 which is already present.

     Here is an example scan before and after the one change:

    (before:)

    commandme : ./cnark.pl -h some.fqdn.what.ever -p 443

    SSL Certificate Information...
    Certificate Commmon Name: some.fqdn.what.ever


    Testing SSLv2 Ciphers...
        DES-CBC3-MD5 -- 168 bits, High Encryption
        RC4-MD5 -- 128 bits, Medium Encryption

    Testing SSLv3 Ciphers...
        DES-CBC3-SHA -- 168 bits, High Encryption
        RC4-SHA -- 128 bits, Medium Encryption
        RC4-MD5 -- 128 bits, Medium Encryption

    Testing TLSv1 Ciphers...
        AES256-SHA -- 256 bits, High Encryption
        DES-CBC3-SHA -- 168 bits, High Encryption
        AES128-SHA -- 128 bits, High Encryption
        RC4-SHA -- 128 bits, Medium Encryption
        RC4-MD5 -- 128 bits, Medium Encryption

    (after:)
    commandme : ./cnark.pl -h some.fqdn.what.ever -p 443

    SSL Certificate Information...
    Certificate Commmon Name: some.fqdn.what.ever


    Testing SSLv2 Ciphers...

    Testing SSLv3 Ciphers...
        DES-CBC3-SHA -- 168 bits, High Encryption
        RC4-SHA -- 128 bits, Medium Encryption
        RC4-MD5 -- 128 bits, Medium Encryption

    Testing TLSv1 Ciphers...
        AES256-SHA -- 256 bits, High Encryption
        DES-CBC3-SHA -- 168 bits, High Encryption
        AES128-SHA -- 128 bits, High Encryption
        RC4-SHA -- 128 bits, Medium Encryption
        RC4-MD5 -- 128 bits, Medium Encryption
    commandme :


     

    Hi bdmeyer,

    I'm a bit new to SSL security and I was wondering what application or utility you used for running the scan testing the encryption levels (using command line "commandme : ./cnark.pl -h some.fqdn.what.ever -p 443").

    Many Thanks,

    Marco
     

  • Re: Disable SSL v2 in IIS7?

    Oct 31, 2012 08:00 AM|opensvr|LINK

    Clearly this is not the case as all these other people have probably like me spent hours of time fiddling with reg keys trying to disable it due to a failure against a compliancy test.

    Why MS cannot simply tell us clearly what needs to be done is beyond me but it certainly is not disabled by default otherwise all these brand new deployments would have had to have it enabled first. How do you enable it? That might also be useful information.

     

     

  • Re: Disable SSL v2 in IIS7?

    Nov 15, 2012 01:35 AM|kaushilz|LINK

    This information is readily available. All you need to do is search.

    This KB article suggests on how to do so.

    http://support.microsoft.com/kb/187498

    NOTE: 3rd party products don't use the MS implementation of Crypto API's and SSL libraries and have their own custom implementation.

    The above KB provides a tool which disables the speciifc protocol version. All it does is add a registry key under

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

    By default you would find only SSL 2.0 under protocols:

    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
    "DisabledByDefault"=dword:00000001

    If you want to disable it for the server node one then you can either use the above KB (not sure if it would run on Windows Server 2008 R2) or create one or modify the above node.

    So it would look like this. This would disable the SSL v2.0 for the all the server components.

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
    "DisabledByDefault"=dword:00000001

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
    "DisabledByDefault"=dword:00000001
    Regards,

    Kaushal
    http://blogs.msdn.com/kaushal
  • Re: Disable SSL v2 in IIS7?

    Nov 15, 2012 04:36 AM|Pawel Dolny|LINK

  • Re: Disable SSL v2 in IIS7?

    Dec 05, 2013 01:02 AM|pccenter_matunga|LINK

    Hello .. can anyone help with regards to Disabling SSL 2.0

     

    I am also using Reg file and editing the Registry through Reg File and disabling SSL.  But it is only editing the Registry values.  When i check if from Tools---Internet Options --- Advance Setting.. I can still see that SSL 2.0 is not disabled.

     

    I am trying this on Windows 7... where am i going wrong. Below is my code. plz help.

    Windows Registry Editor Version 5.00
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client] "DisabledByDefault"=dword:00000001

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client] "Enabled"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server] "DisabledByDefault"=dword:00000001

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server] "Enabled"=dword:00000000