For some reason, Windows Server 2008 using IIS 7 allows SSL 2.0 by default. Unfortunately, this means you will fail a PCI Compliance audit by default. In order to disable SSL 2.0 in IIS 7 and make sure that the stronger SSL 3.0 or TLS 1.0 is used, follow these instructions:
- Click Start, click Run, type regedit, and then click OK.
- In Registry Editor, locate the following registry key/folder:
- Right-click on the SSL 2.0 folder and select New and then click Key. Name the new folder Server.
- Inside the Server folder, click the Edit menu, select New, and click DWORD (32-bit) Value.
- Enter Enabled as the name and hit Enter.
- Ensure that it shows 0x00000000 (0) under the Data column (it should by default). If it doesn’t, right-click and select Modify and enter 0 as the Value data.
- Restart the computer.
- Verify that no SSL 2.0 ciphers are available at ServerSniff.net
Note: This process is essentially the same on an IIS 6 (Windows Server 2003) machine. Normally, the Server key under SSL 2.0 will already be created so you will just need to create a new DWORD value under it and name it Enabled.
For more information, read Microsoft’s Knowledge base article on how to disable SSL 2.0 and other protocols in IIS 7.