• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1379
  • Last Modified:

IIS 7 - disable SSL 2.0

I have followed the article at http://support.microsoft.com/kb/187498 and restarted my server after making the changes.  

However after doing a TCP dump, I still see SSL 2.0 being negotiated.

I am running IIS 7 and Windows Server 2008.  

How can I disable SSL 2.0 permanently?  

My TCPDump says this:

Secure Socket Layer
   SSLv2 Record Layer: Client Hello
      [Version: SSL 2.0 (0x0002)]
      Length: 98
      Handshake message Type:  Client Hello (1)
      Version: TLS 1.0 (0x0301)
      Cipher Spec Length: 57
      Session ID Length: 0
      Challenge length: 32
  • 3
  • 2
1 Solution
Shreedhar EtteCommented:

Refer this article:

After change to registry reboot the server once.

Hope this helps,
symigeekAuthor Commented:
Yes, that is exactly what I did, including rebooting my server after the registry change.
I ran this from the command line and then rebooted my server.  (REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 2.0\Server" /v DisabledByDefault /t REG_DWORD /d 1 /f)  All was well after that.  Needed this for PCI Compliance.  You can go to http://serversniff.net/content.php?do=ssl to test your ssl status or you can force IE to use SSL 2 as well to test by going to Tools --> Internet Options --> Scroll Towards the bottom and uncheck SSL 3 as well as TLS 1 and check SSL 2.  You will need to close the browser and open it up again and you should get a page can not be displayed error.  Make sure to re-enable SSL 3 and TLS 1.0 afterwards.  Also I had to do a false positive report to the pci scanning company since they were still flagging SSL 2.
WEBINAR: GDPR Implemented - Tips & Lessons Learned

Join the WatchGuard team on Thursday, March 29th as we recount some valuable lessons learned in weighing the needs of a business against the new regulatory environment, look ahead at the two months left before implementation, and help you understand the steps you can take today!

You need to use the Advanced tab on Internet Options to find the SSL settings.  Forgot to mention that.
http://www.sslshopper.com/article-how-to-disable-ssl-2.0-in-iis-7.html This method worked for me in IIS 6 since it seems to like Enabled = 0 reg key instead of DisabledByDefault = 1.
symigeekAuthor Commented:
Even though I had already done this, it turned out to the the solution.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now