none
Disable SSL 2.0 on Windows 2008 R2

    Question

  • Hi.

    Can anyone give me a step by step on how to disable SSL 2.0 on IIS 7.5 please? I cannot find an article for it and those refering to IIS 7.0 do not seem to work.

    Regards,

    Morris


    Best Regards, Morris Fury AFRIDATA.net
    Tuesday, July 06, 2010 2:02 PM

Answers

  • Set the follow registry value, and restart the server:

    Key: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server
    Value: DisabledByDefault
    Type: REG_DWORD
    Data: 0x1

    Client-side SSL 2.0 is already disabled by default on Windows 7 and Windows Server 2008 R2.

    Hope this helps,

    Jonathan Stephens


    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by Morris Fury Wednesday, July 07, 2010 11:14 AM
    Tuesday, July 06, 2010 6:47 PM

All replies

  • Set the follow registry value, and restart the server:

    Key: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server
    Value: DisabledByDefault
    Type: REG_DWORD
    Data: 0x1

    Client-side SSL 2.0 is already disabled by default on Windows 7 and Windows Server 2008 R2.

    Hope this helps,

    Jonathan Stephens


    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by Morris Fury Wednesday, July 07, 2010 11:14 AM
    Tuesday, July 06, 2010 6:47 PM
  • Hi Jonathan.

    Thanks for the reply. Interestingly enough this is a clean install of Windows Server 2008 R2 Standard and SSL 2.0 is enabled on it. Could it be that it was enabled when I installed IIS? I found another article that stated I should create a registry entry at HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server and name it "Enabled" and set it to "0". The "Server" key did not exist either. This did disable SSL 2.0 after the server was restarted. What is the difference between this setting and the one you suggest?

    Regards,

    Morris


    Best Regards, Morris Fury AFRIDATA.net
    Wednesday, July 07, 2010 5:44 AM
  • Morris -

    Client-side SSL 2.0 is disabled by default on Windows 7 and Windows Server 2008 R2, which means that, when initiating an SSL connection from either of those two OSes that SSL 2.0 will not be sent as a supported protocol that the server can use. You can see this in the following registry value:

    Key: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client
    Value: DisabledByDefault

    Server-side SSL 2.0 is not, however, disabled by default. This means that some other client, when initiating an SSL connection to Windows Server 2008 R2 can include SSL 2.0 in the list of supported protocols. If SSL 2.0 is the only protocol in common between the client and the server, the server will select it.

    Functionally, there is not much difference between setting Enabled to 0 and setting DisabledByDefault to 1.

    Hope this helps,

    Jonathan Stephens


    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Wednesday, July 07, 2010 10:49 AM
  • Thanks for the help Jonathan.

    Just for interest, i found this site where you can test if your ssl 2.0 is disabled:

    http://foundeo.com/products/iis-weak-ssl-ciphers/test.cfm


    Best Regards, Morris Fury AFRIDATA.net
    Wednesday, July 07, 2010 11:13 AM
  • I have IIS 7.5, I see the registry set "DisabledByDefault" = 1

    but SSL checkers still show IIS accepting SSL2???

    $39.00 for the tool above, come on that's pretty crappy.


    Dane!

    Monday, October 21, 2013 10:38 PM
  • Dane, and others:

    Qualys has a free SSL server test. Find it here:

    https://www.ssllabs.com/ssltest/

    Thursday, April 10, 2014 5:05 PM