?
Solved

IIS 7 - disable SSL 2.0

Posted on 2011-03-03
6
Medium Priority
?
1,321 Views
Last Modified: 2012-05-11
I have followed the article at http://support.microsoft.com/kb/187498 and restarted my server after making the changes.  

However after doing a TCP dump, I still see SSL 2.0 being negotiated.

I am running IIS 7 and Windows Server 2008.  

How can I disable SSL 2.0 permanently?  

My TCPDump says this:

Secure Socket Layer
   SSLv2 Record Layer: Client Hello
      [Version: SSL 2.0 (0x0002)]
      Length: 98
      Handshake message Type:  Client Hello (1)
      Version: TLS 1.0 (0x0301)
      Cipher Spec Length: 57
      Session ID Length: 0
      Challenge length: 32
0
Comment
Question by:symigeek
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 34

Accepted Solution

by:
Shreedhar Ette earned 1000 total points
ID: 35028613
Hi,

Refer this article:
http://www.sslshopper.com/article-how-to-disable-ssl-2.0-in-iis-7.html

After change to registry reboot the server once.

Hope this helps,
Shree
0
 

Author Comment

by:symigeek
ID: 35029471
Yes, that is exactly what I did, including rebooting my server after the registry change.
0
 
LVL 2

Expert Comment

by:garrett_boarder
ID: 35031769
I ran this from the command line and then rebooted my server.  (REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 2.0\Server" /v DisabledByDefault /t REG_DWORD /d 1 /f)  All was well after that.  Needed this for PCI Compliance.  You can go to http://serversniff.net/content.php?do=ssl to test your ssl status or you can force IE to use SSL 2 as well to test by going to Tools --> Internet Options --> Scroll Towards the bottom and uncheck SSL 3 as well as TLS 1 and check SSL 2.  You will need to close the browser and open it up again and you should get a page can not be displayed error.  Make sure to re-enable SSL 3 and TLS 1.0 afterwards.  Also I had to do a false positive report to the pci scanning company since they were still flagging SSL 2.
0
 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

 
LVL 2

Expert Comment

by:garrett_boarder
ID: 35031782
You need to use the Advanced tab on Internet Options to find the SSL settings.  Forgot to mention that.
0
 
LVL 2

Expert Comment

by:garrett_boarder
ID: 35031814
http://www.sslshopper.com/article-how-to-disable-ssl-2.0-in-iis-7.html This method worked for me in IIS 6 since it seems to like Enabled = 0 reg key instead of DisabledByDefault = 1.
0
 

Author Closing Comment

by:symigeek
ID: 35036260
Even though I had already done this, it turned out to the the solution.
0

Featured Post

Will your db performance match your db growth?

In Percona’s white paper “Performance at Scale: Keeping Your Database on Its Toes,” we take a high-level approach to what you need to think about when planning for database scalability.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are a web developer, you would be aware of the <iframe> tag in HTML. The <iframe> stands for inline frame and is used to embed another document within the current HTML document. The embedded document could be even another website.
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question