How to disable SSL 2.0 or SSL 3.0 from IIS Server
Published Nov 16 2018 06:54 AM 18K Views
First published on MSDN on Oct 29, 2014

Recently I have assisted couple of enterprise engineers in disabling a specific version SSL from IIS Servers to mitigate a vulnerability that they were facing. In both cases, I found that engineers were little confused as to what registry change that they needed to apply since there were Client and Server portion of the Registry key. Here is the summary and key takeaways from these two engagements:

These are the key combinations to disable SSL:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Client]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Server]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Client]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Server]

Note: Client portion contains subkey called "DisabledByDefault" whereas the Server portion contains subkey called "Enabled"

The registry keys and their contents are same for all modern OS: Windows 7, Windows Server 2008, Windows Server 2008 R2 and Windows Server 2012.

Version history
Last update:
‎Nov 16 2018 06:54 AM
Updated by: