According to this article, http://support.microsoft.com/kb/187498 HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\PCT 1.0\Server On the Edit menu, click Add Value.In the Data Type list, click DWORD.In the Value Name box, type Enabled, and then click OK. Note If this value is present, double-click the value to edit its current value.Type 00000000 in Binary Editor to set the value of the new key equal to "0". I see on my server, in the location HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSl 2.0\Client There is a Reg_DWORD setting for DisabledByDefault = "1". Doesn't this accomplish the same end result?

Hi, Thats not the same. All communication is a two-way street, a client send request then server answers. The settings DisabledByDefault"=dword:00000001 under client subentry, means client SSL 2.0 is disabled by default ( default on Windows Server 2008, 208R2 and Windows 7), means the computer will not use SSL 2.0 to initiate a client request. While if your disable SSL 2.0 protocol follow procedure you posted above, it means the server will not answer a SSL 2.0 request. For more information please refer to following MS articles: Speaking in Ciphers and other Enigmatic tongues http://blogs.technet.com/b/askds/archive/2011/05/04/speaking-in-ciphers-and-other-enigmatic-tongues.aspx How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dll http://support.microsoft.com/default.aspx?scid=kb;EN-US;245030 How to disable PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0 in Internet Information Services http://support.microsoft.com/kb/187498 Lawrence TechNet Community Support

Thanks for your response. I actually just tried to use the Microsoft fixit tool, the file that was downloaded is "MicrosoftFixit50495.msi" When I ran it, it gave me the options for PCT1.0, SSL2.0, SSL 3.0 and TLS 1.0. I chose SSL2.0 because that's what all the talk is about here. It comes back with "This Microsoft Fixit does not apply to your operating system or application version. Its Windows Server 2008 R2, sp1. So does the fixit tool not work, or does the OS not have this vulnerability? Or is there something else I need to do? I'm running "as administrator". Help? : )

Hi, That fixit tool applies to: Microsoft Internet Information Server 3.0Microsoft Internet Information Services 5.1Microsoft Internet Information Services 6.0Microsoft Internet Information Services 7.0 While Windows Server 2008R2 runs IIS 7.5 is not in the support list. You may disable SSL 2.0 manually. For more information please refer to following MS articles: How to disable PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0 in Internet Information Services http://support.microsoft.com/kb/187498 Lawrence TechNet Community Support