Disable SSL 2.0 on Windows 2008 R2
Hi.
Can anyone give me a step by step on how to disable SSL 2.0 on IIS 7.5 please? I cannot find an article for it and those refering to IIS 7.0 do not seem to work.
Regards,
MorrisBest Regards, Morris Fury AFRIDATA.net
July 6th, 2010 5:02pm
Set the follow registry value, and restart the server:
Key: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server
Value: DisabledByDefault
Type: REG_DWORD
Data: 0x1
Client-side SSL 2.0 is already disabled by default on Windows 7 and Windows Server 2008 R2.
Hope this helps,
Jonathan StephensThis posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can
be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
July 6th, 2010 9:47pm
Hi Jonathan.
Thanks for the reply. Interestingly enough this is a clean install of Windows Server 2008 R2 Standard and SSL 2.0 is enabled on it. Could it be that it was enabled when I installed IIS? I found another article that stated I should create a registry entry
at HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server and name it "Enabled" and set it to "0". The "Server" key did not exist either. This did disable SSL 2.0 after the server was restarted. What is the difference between
this setting and the one you suggest?
Regards,
MorrisBest Regards, Morris Fury AFRIDATA.net
July 7th, 2010 8:44am
Morris -
Client-side SSL 2.0 is disabled by default on Windows 7 and Windows Server 2008 R2, which means that, when initiating an SSL connection from either of those two OSes that SSL 2.0 will not be sent as a supported protocol that the server can use. You can see
this in the following registry value:
Key: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client
Value: DisabledByDefault
Server-side SSL 2.0 is not, however, disabled by default. This means that some other client, when initiating an SSL connection
to Windows Server 2008 R2 can include SSL 2.0 in the list of supported protocols. If SSL 2.0 is the only protocol in common between the client and the server, the server will select it.
Functionally, there is not much difference between setting Enabled to 0 and setting DisabledByDefault to 1.
Hope this helps,
Jonathan StephensThis posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can
be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
July 7th, 2010 1:49pm
Thanks for the help Jonathan.
Just for interest, i found this site where you can test if your ssl 2.0 is disabled:
http://foundeo.com/products/iis-weak-ssl-ciphers/test.cfmBest Regards, Morris Fury AFRIDATA.net
July 7th, 2010 2:13pm