Blog Post

IIS Support Blog
1 MIN READ

How to disable SSL 2.0 or SSL 3.0 from IIS Server

Enamul_Khaleque's avatar
Nov 16, 2018
First published on MSDN on Oct 29, 2014

Recently I have assisted couple of enterprise engineers in disabling a specific version SSL from IIS Servers to mitigate a vulnerability that they were facing. In both cases, I found that engineers were little confused as to what registry change that they needed to apply since there were Client and Server portion of the Registry key. Here is the summary and key takeaways from these two engagements:


These are the key combinations to disable SSL:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Client]
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Client]
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Server]
"Enabled"=dword:00000000


Note: Client portion contains subkey called "DisabledByDefault" whereas the Server portion contains subkey called "Enabled"


The registry keys and their contents are same for all modern OS: Windows 7, Windows Server 2008, Windows Server 2008 R2 and Windows Server 2012.


Updated Nov 16, 2018
Version 2.0
No CommentsBe the first to comment