First published on MSDN on Oct 29, 2014
Recently I have assisted couple of enterprise engineers in disabling a specific version SSL from IIS Servers to mitigate a vulnerability that they were facing. In both cases, I found that engineers were little confused as to what registry change that they needed to apply since there were Client and Server portion of the Registry key. Here is the summary and key takeaways from these two engagements:
These are the key combinations to disable SSL:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Client]
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Client]
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Server]
"Enabled"=dword:00000000
Note: Client portion contains subkey called "DisabledByDefault" whereas the Server portion contains subkey called "Enabled"
The registry keys and their contents are same for all modern OS: Windows 7, Windows Server 2008, Windows Server 2008 R2 and Windows Server 2012.
