Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

IIS 7 - disable SSL 2.0

Posted on 2011-03-03
6
Medium Priority
?
1,347 Views
Last Modified: 2012-05-11
I have followed the article at http://support.microsoft.com/kb/187498 and restarted my server after making the changes.  

However after doing a TCP dump, I still see SSL 2.0 being negotiated.

I am running IIS 7 and Windows Server 2008.  

How can I disable SSL 2.0 permanently?  

My TCPDump says this:

Secure Socket Layer
   SSLv2 Record Layer: Client Hello
      [Version: SSL 2.0 (0x0002)]
      Length: 98
      Handshake message Type:  Client Hello (1)
      Version: TLS 1.0 (0x0301)
      Cipher Spec Length: 57
      Session ID Length: 0
      Challenge length: 32
0
Comment
Question by:symigeek
  • 3
  • 2
6 Comments
 
LVL 34

Accepted Solution

by:
Shreedhar Ette earned 1000 total points
ID: 35028613
Hi,

Refer this article:
http://www.sslshopper.com/article-how-to-disable-ssl-2.0-in-iis-7.html

After change to registry reboot the server once.

Hope this helps,
Shree
0
 

Author Comment

by:symigeek
ID: 35029471
Yes, that is exactly what I did, including rebooting my server after the registry change.
0
 
LVL 2

Expert Comment

by:garrett_boarder
ID: 35031769
I ran this from the command line and then rebooted my server.  (REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 2.0\Server" /v DisabledByDefault /t REG_DWORD /d 1 /f)  All was well after that.  Needed this for PCI Compliance.  You can go to http://serversniff.net/content.php?do=ssl to test your ssl status or you can force IE to use SSL 2 as well to test by going to Tools --> Internet Options --> Scroll Towards the bottom and uncheck SSL 3 as well as TLS 1 and check SSL 2.  You will need to close the browser and open it up again and you should get a page can not be displayed error.  Make sure to re-enable SSL 3 and TLS 1.0 afterwards.  Also I had to do a false positive report to the pci scanning company since they were still flagging SSL 2.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 2

Expert Comment

by:garrett_boarder
ID: 35031782
You need to use the Advanced tab on Internet Options to find the SSL settings.  Forgot to mention that.
0
 
LVL 2

Expert Comment

by:garrett_boarder
ID: 35031814
http://www.sslshopper.com/article-how-to-disable-ssl-2.0-in-iis-7.html This method worked for me in IIS 6 since it seems to like Enabled = 0 reg key instead of DisabledByDefault = 1.
0
 

Author Closing Comment

by:symigeek
ID: 35036260
Even though I had already done this, it turned out to the the solution.
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are a web developer, you would be aware of the <iframe> tag in HTML. The <iframe> stands for inline frame and is used to embed another document within the current HTML document. The embedded document could be even another website.
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question