Windows Small Business standard server needs to disable SSL2 and SSL3

Hello I have a server that is up and running but it has fail a world pay scan for our credit card, it states that we have to disable SSL2 and SSL3 I have look around on the net but only seeing registry fixes and I am a bit nervous to just do it, do you know any other ways to disable this two connections
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

DeadmanIT ConsultantCommented:
There is no other way to do it. It's a vulnerability in the protocol.

In Windows Server 2003 to 2012 R2 the SSL / TLS protocols are controlled by flags in the registry set at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols.

To disable SSLv3, which the POODLE vulnerability is concerned with, create a subkey at the above location (if it's not already present) named SSL 3.0 and, under that, a subkey named Server (if it's not already present). At this location (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Server) create a DWORD value named Enabled and leave it set at 0.

Disabling SSL 2.0, which you should also be doing, is done the same way, except that you'll be using a key named SSL 2.0 in the above registry path.

check this link

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Deerek11Author Commented:
I just did SSL2 but under protocols there is only SSL2 no SSL3 folder ...
Damien KayCommented:
I went through this with several SBS2003, SBS2008, and SBS2011 servers, as well as both a WSE2012 server and a WSE2012R2 server.  I combined all the Microsoft suggested Registry entries into one REG file, and merged it into the Registry on the server, and then rebooted. I've attached a text file that you can rename to a .REG file for merging.

I used the SSL Labs website to test my changes (I would run the test before and after merging the REG file): (using the external FQDN of the server).  

Older 2003 servers will never get a better grade than a C.  SBS2008 servers should be able to get a B, as they don't support TLS 1.2.

I have not attempted disabling the RC4 cipher yet, so my SBS2011 and WSE2012 servers are also capped at a B. This MS Technet Article describes how to completely disable RC4:
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

DeadmanIT ConsultantCommented:
To disable SSLv3  create SSL 3.0  a subkey at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols and again create Server subkey
create a DWORD value named Enabled and leave it set at 0.
Deerek11Author Commented:
Hello I just tried to run the scan for the network using but it will not allow IP address ... any suggestions?
Damien KayCommented:
Do you have access to your domain DNS?  Since you have SSL Enabled, you have an SSL Certificate installed, so you must have a domain name associated with that in some way...
Deerek11Author Commented:
Yes the domain name is with go daddy but world pay had us run it on that domain name at first and it failed with about 30 something critical errors they told me that was wrong I should run it within the network IP address so I did a what is my ip inside the network so we ran the scan on the IP address of the network
Damien KayCommented:
That is correct, an IP Address will not work.

First, for the SSL Certificate to work right, you must have a FQDN to browse to it.  That FQDN must resolve to the external IP Address of the server you are trying to secure.  It is that name that you must use in the SSLLABS test.  

A typical example of a FQDN for remote access to a WSE2012R2 server would be ""

If you have some other configuration, please let me know so I can help you further...
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.