How to disable SSL v2 in IIS 7

For some reason, Windows Server 2008 using IIS 7 allows SSL 2.0 by default. Unfortunately, this means you will fail a PCI Compliance audit by default. In order to disable SSL 2.0 in IIS 7 and make sure that the stronger SSL 3.0 or TLS 1.0 is used, follow these instructions:

  1. Click Start, click Run, type regedit, and then click OK.
  2. In Registry Editor, locate the following registry key/folder:

    HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0

  3. Right-click on the SSL 2.0 folder and select New and then click Key. Name the new folder Server.
  4. Inside the Server folder, click the Edit menu, select New, and click DWORD (32-bit) Value.
  5. Enter Enabled as the name and hit Enter.
  6. Ensure that it shows 0x00000000 (0) under the Data column (it should by default). If it doesn’t, right-click and select Modify and enter 0 as the Value data.
  7. Restart the computer.
  8. Verify that no SSL 2.0 ciphers are available at ServerSniff.net

Note: This process is essentially the same on an IIS 6 (Windows Server 2003) machine. Normally, the Server key under SSL 2.0 will already be created so you will just need to create a new DWORD value under it and name it Enabled.

For more information, read Microsoft’s Knowledge base article on how to disable SSL 2.0 and other protocols in IIS 7.

Advertisements

One response to “How to disable SSL v2 in IIS 7

  1. Gr8 this works…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s