[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

IIS 7 - disable SSL 2.0

Posted on 2011-03-03
6
Medium Priority
?
1,324 Views
Last Modified: 2012-05-11
I have followed the article at http://support.microsoft.com/kb/187498 and restarted my server after making the changes.  

However after doing a TCP dump, I still see SSL 2.0 being negotiated.

I am running IIS 7 and Windows Server 2008.  

How can I disable SSL 2.0 permanently?  

My TCPDump says this:

Secure Socket Layer
   SSLv2 Record Layer: Client Hello
      [Version: SSL 2.0 (0x0002)]
      Length: 98
      Handshake message Type:  Client Hello (1)
      Version: TLS 1.0 (0x0301)
      Cipher Spec Length: 57
      Session ID Length: 0
      Challenge length: 32
0
Comment
Question by:symigeek
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 34

Accepted Solution

by:
Shreedhar Ette earned 1000 total points
ID: 35028613
Hi,

Refer this article:
http://www.sslshopper.com/article-how-to-disable-ssl-2.0-in-iis-7.html

After change to registry reboot the server once.

Hope this helps,
Shree
0
 

Author Comment

by:symigeek
ID: 35029471
Yes, that is exactly what I did, including rebooting my server after the registry change.
0
 
LVL 2

Expert Comment

by:garrett_boarder
ID: 35031769
I ran this from the command line and then rebooted my server.  (REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 2.0\Server" /v DisabledByDefault /t REG_DWORD /d 1 /f)  All was well after that.  Needed this for PCI Compliance.  You can go to http://serversniff.net/content.php?do=ssl to test your ssl status or you can force IE to use SSL 2 as well to test by going to Tools --> Internet Options --> Scroll Towards the bottom and uncheck SSL 3 as well as TLS 1 and check SSL 2.  You will need to close the browser and open it up again and you should get a page can not be displayed error.  Make sure to re-enable SSL 3 and TLS 1.0 afterwards.  Also I had to do a false positive report to the pci scanning company since they were still flagging SSL 2.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 2

Expert Comment

by:garrett_boarder
ID: 35031782
You need to use the Advanced tab on Internet Options to find the SSL settings.  Forgot to mention that.
0
 
LVL 2

Expert Comment

by:garrett_boarder
ID: 35031814
http://www.sslshopper.com/article-how-to-disable-ssl-2.0-in-iis-7.html This method worked for me in IIS 6 since it seems to like Enabled = 0 reg key instead of DisabledByDefault = 1.
0
 

Author Closing Comment

by:symigeek
ID: 35036260
Even though I had already done this, it turned out to the the solution.
0

Featured Post

What’s Wrong with Your Cloud Strategy ?

Even as many CIOs are embracing a cloud-first strategy, the reality is that moving to the cloud is a lengthy process and the end-state is likely to be a blend of multiple clouds—public and private. Learn why multicloud solutions matter in this webinar by Nimble Storage.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As tax season makes its return, so does the increase in cyber crime and tax refund phishing that comes with it
A phishing scam that claims a recipient’s credit card details have been “suspended” is the latest trend in spoof emails.
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question