locked
How to Disable SSLv2 and Weak Ciphers in Windows 2008 IIS 7.0

    Question

  • Hi, I have been trying to disable SSL V2 using kb245030.  I have applied all the changes in the note, I have also applied some change proposed in the following pages:
    http://blog.techstacks.com/2008/10/iis-disabling-sslv2-and-weak-ciphers.html
    http://geekswithblogs.net/dchristiansen/archive/2009/03/24/pcidss-disablessl2andweakciphersoniis6.aspx

    None of these recommended changes seems to have any effect whatsoever, everytime that I run the SSL Info service out of www.serversniff.net I get the same results

    .....
    Available SSL2 ciphers:
    DES-CBC3-MD5 168 bit
    RC2-CBC-MD5 128 bit
    RC4-MD5 128 bit
    DES-CBC-MD5 56 bit
    EXP-RC2-CBC-MD5 40 bit
    EXP-RC4-MD5 40 bit
     
    Available SSL3 ciphers:
    DES-CBC3-SHA 168 bit
    RC4-SHA 128 bit
    RC4-MD5 128 bit
    DES-CBC-SHA 56 bit
    EXP-RC2-CBC-MD5 40 bit
    EXP-RC4-MD5 40 bit
     
    Available TLS1 ciphers:
    DES-CBC3-SHA 168 bit
    RC4-SHA 128 bit
    RC4-MD5 128 bit
    DES-CBC-SHA 56 bit
    EXP-RC2-CBC-MD5 40 bit
    EXP-RC4-MD5 40 bit
    .....

    As far as I understand SSL V2 should not show any cipher.

    I would really appreciate any help regarding this issue.

    Best regards
    Thursday, May 07, 2009 9:35 PM

All replies

  • I did place a caveat in the beginning of my post  that I did not know whether these registry changes would work with IIS7.  I do not have access to an IIS7 box that I could test these particular changes on.  My post was specifically geared towards IIS4 through IIS6.

    Friday, May 29, 2009 8:06 PM
  • Did you ever get an answer?  I haven't been able to remove the weak ciphers in W2k8 IIS7 yet.  If you have, please share.  Thank you, Keith


    KeithInSac
    Tuesday, July 28, 2009 8:30 PM
  • Have you seen this article? Its for Windows 2000 and 2003 but it might provide some insights http://support.microsoft.com/kb/245030/
    Wednesday, July 29, 2009 9:50 PM
  • Yeah, I've been through that article quite a few times.  It's one of my validation points for the registry settings I have (see below).  At the end of the article the Applies To section shows that it does not apply to platform newer than Windows Server 2003.  If you have any suggestions on my registry settings or an alternative way to configure this, I would greatly appreciate.

    Below are my current settings (for W2k/W2k3)

    Registry Settings:
    ----------------------------------------------------------------------------
    Windows Registry Editor Version 5.00
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
    "Enabled"=dword:00000000
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Ciphers\NULL]
    "Enabled"=dword:00000000
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
    "Enabled"=dword:00000000
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]
    "Enabled"=dword:00000000
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
    "Enabled"=dword:00000000
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
    "Enabled"=dword:00000000
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128]
    "Enabled"=dword:00000000
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
    "Enabled"=dword:00000000
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
    "Enabled"=dword:00000000
    ----------------------------------------------------------------------------


    KeithInSac
    Friday, July 31, 2009 8:44 PM
  • I'm having the same issue and have tried all the above as well.  Having SSLv2 is an issue as you will fail a PCI audit or get dinged by an external auditor.  Anyone figured out how to disable this setting?

    Thanks in advance,
    MikeinNC
    • Proposed as answer by John Welu Tuesday, October 06, 2009 10:11 PM
    Monday, October 05, 2009 2:53 PM
  • http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/1cf01f33-9cbe-4b76-b01c-83923c4cda04

    Just tried this one and it worked on our 2008 server running iis7.

    Sorry about the proposed as answer on the previous post I’m new to the forums.

    • Proposed as answer by Boilermaker81 Wednesday, April 07, 2010 7:40 PM
    Tuesday, October 06, 2009 10:13 PM
  • I believe you must restart IIS after these changes, or even reboot altogether.
    Wednesday, April 07, 2010 7:41 PM