How to Disable SSL 2.0 in IIS 7

For some reason, Windows Server 2008 using IIS 7 allows SSL 2.0 by default. Unfortunately, this means you will fail a PCI Compliance scan by default. To properly secure your server and ensure that you pass your PCI-DSS scans, you will need to disable SSL 2.0 and disable weak ciphers. In order to disable SSL 2.0 in IIS 7 and make sure that the stronger SSL 3.0 or TLS 1.0 is used, follow these instructions:

  1. Click Start, click Run, type regedit, and then click OK.
  2. In Registry Editor, locate the following registry key/folder:

    HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0
  3. Right-click on the SSL 2.0 folder and select New and then click Key. Name the new folder Server.
  4. Inside the Server folder, click the Edit menu, select New, and click DWORD (32-bit) Value.
  5. Enter Enabled as the name and hit Enter.
  6. Ensure that it shows 0x00000000 (0) under the Data column (it should by default). If it doesn't, right-click and select Modify and enter 0 as the Value data.
  7. Restart the computer.
  8. Verify that no SSL 2.0 ciphers are available at ServerSniff.net or the Public SSL Server Database

Disable SSL 2.0 in IIS inside the registry editor

Note: This process is essentially the same on an IIS 6 (Windows Server 2003) machine. Normally, the Server key under SSL 2.0 will already be created so you will just need to create a new DWORD value under it and name it Enabled.

For more information, read Microsoft's Knowledge base article on how to disable SSL 2.0 and other protocols in IIS 7.

Compare SSL Certificates

Disable Weak Ciphers In IIS 7.0

In addition to disabling SSL 2.0, you can disable some weak ciphers by editing the registry in the same way. To speed up the process, you can paste the following in to a text file and name it disableWeakCiphers.reg, then double-click it.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000

 Digg  del.icio.us  Reddit

Posted on October 21, 2008
Wrap2tyt
Posts: 7
Comment
Disable Weak Ciphers
Reply #7 on : Tue December 10, 2013, 10:38:27
To be clear... I need to disable support for SSL Server CBC Ciphers for TLSv1 & SSLv3 AND support for SSL Server Supports Weak MAC Algorithms for SSLv3 & TLSv1 on both Windows 2003 and 2008 servers. I understand how to edit the registry keys however which of the descriptions above are specific to Windows 2003?

Thanks
Jean
Posts: 7
Comment
SSL 3.0
Reply #6 on : Fri September 27, 2013, 10:46:00
If I do this above and I don't see the SSL 3.0 in the registry as being enabled should I add that before I disable the 2.0 so my certificates won't be impacted?
Highman
Posts: 7
Comment
Add to reg file
Reply #5 on : Mon January 07, 2013, 11:27:18
I had to prepend the following snippet into your .reg file as the first line to get it to work:

Windows Registry Editor Version 5.00
Groovejets
Posts: 7
Comment
Thanks mate
Reply #4 on : Tue December 04, 2012, 15:50:42
Thanks for publishing this - just implemented now. You saved me a long search I am guessing. We failed the Qualys scan
Marco
Posts: 7
Comment
Thanks
Reply #3 on : Wed September 26, 2012, 13:08:34
Thanks for your article. Very helpful
Spryor
Posts: 7
Comment
Disable Weak Ciphers
Reply #2 on : Wed June 20, 2012, 11:43:40
Thanks for sharing your article on disabling weak ciphers and SSL 2.0, very helpful.
Toby
Posts: 7
Comment
Thanks
Reply #1 on : Mon November 28, 2011, 01:06:43
Came across your site while trying to fix issues with our score from ssllabs.com

Just wanted to say thank you for the info and the registry data to disable the weak ciphers for IIS7

Write a comment


If you have trouble reading the code, click on the code itself to generate a new random code.
Security Code:
 
Post Comment