Disable SSL 2.0 on Windows 2008 R2
Hi. Can anyone give me a step by step on how to disable SSL 2.0 on IIS 7.5 please? I cannot find an article for it and those refering to IIS 7.0 do not seem to work. Regards, MorrisBest Regards, Morris Fury AFRIDATA.net
July 6th, 2010 5:02pm

Set the follow registry value, and restart the server: Key: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server Value: DisabledByDefault Type: REG_DWORD Data: 0x1 Client-side SSL 2.0 is already disabled by default on Windows 7 and Windows Server 2008 R2. Hope this helps, Jonathan StephensThis posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
July 6th, 2010 9:47pm

Hi Jonathan. Thanks for the reply. Interestingly enough this is a clean install of Windows Server 2008 R2 Standard and SSL 2.0 is enabled on it. Could it be that it was enabled when I installed IIS? I found another article that stated I should create a registry entry at HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server and name it "Enabled" and set it to "0". The "Server" key did not exist either. This did disable SSL 2.0 after the server was restarted. What is the difference between this setting and the one you suggest? Regards, MorrisBest Regards, Morris Fury AFRIDATA.net
July 7th, 2010 8:44am

Morris - Client-side SSL 2.0 is disabled by default on Windows 7 and Windows Server 2008 R2, which means that, when initiating an SSL connection from either of those two OSes that SSL 2.0 will not be sent as a supported protocol that the server can use. You can see this in the following registry value: Key: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client Value: DisabledByDefault Server-side SSL 2.0 is not, however, disabled by default. This means that some other client, when initiating an SSL connection to Windows Server 2008 R2 can include SSL 2.0 in the list of supported protocols. If SSL 2.0 is the only protocol in common between the client and the server, the server will select it. Functionally, there is not much difference between setting Enabled to 0 and setting DisabledByDefault to 1. Hope this helps, Jonathan StephensThis posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
July 7th, 2010 1:49pm

Thanks for the help Jonathan. Just for interest, i found this site where you can test if your ssl 2.0 is disabled: http://foundeo.com/products/iis-weak-ssl-ciphers/test.cfmBest Regards, Morris Fury AFRIDATA.net
July 7th, 2010 2:13pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics