Solved

IIS 7 - disable SSL 2.0

Posted on 2011-03-03
6
1,309 Views
Last Modified: 2012-05-11
I have followed the article at http://support.microsoft.com/kb/187498 and restarted my server after making the changes.  

However after doing a TCP dump, I still see SSL 2.0 being negotiated.

I am running IIS 7 and Windows Server 2008.  

How can I disable SSL 2.0 permanently?  

My TCPDump says this:

Secure Socket Layer
   SSLv2 Record Layer: Client Hello
      [Version: SSL 2.0 (0x0002)]
      Length: 98
      Handshake message Type:  Client Hello (1)
      Version: TLS 1.0 (0x0301)
      Cipher Spec Length: 57
      Session ID Length: 0
      Challenge length: 32
0
Comment
Question by:symigeek
  • 3
  • 2
6 Comments
 
LVL 34

Accepted Solution

by:
Shreedhar Ette earned 250 total points
ID: 35028613
Hi,

Refer this article:
http://www.sslshopper.com/article-how-to-disable-ssl-2.0-in-iis-7.html

After change to registry reboot the server once.

Hope this helps,
Shree
0
 

Author Comment

by:symigeek
ID: 35029471
Yes, that is exactly what I did, including rebooting my server after the registry change.
0
 
LVL 2

Expert Comment

by:garrett_boarder
ID: 35031769
I ran this from the command line and then rebooted my server.  (REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 2.0\Server" /v DisabledByDefault /t REG_DWORD /d 1 /f)  All was well after that.  Needed this for PCI Compliance.  You can go to http://serversniff.net/content.php?do=ssl to test your ssl status or you can force IE to use SSL 2 as well to test by going to Tools --> Internet Options --> Scroll Towards the bottom and uncheck SSL 3 as well as TLS 1 and check SSL 2.  You will need to close the browser and open it up again and you should get a page can not be displayed error.  Make sure to re-enable SSL 3 and TLS 1.0 afterwards.  Also I had to do a false positive report to the pci scanning company since they were still flagging SSL 2.
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 
LVL 2

Expert Comment

by:garrett_boarder
ID: 35031782
You need to use the Advanced tab on Internet Options to find the SSL settings.  Forgot to mention that.
0
 
LVL 2

Expert Comment

by:garrett_boarder
ID: 35031814
http://www.sslshopper.com/article-how-to-disable-ssl-2.0-in-iis-7.html This method worked for me in IIS 6 since it seems to like Enabled = 0 reg key instead of DisabledByDefault = 1.
0
 

Author Closing Comment

by:symigeek
ID: 35036260
Even though I had already done this, it turned out to the the solution.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question