Microsoft IIS - Disable SSL 2.0 and SSL 3.0

Last updated on 28 Sep 2023, 10:22:56.
Category: All about SSL certificates

IIS 5 IIS 6 IIS 7 IIS 8 IIS 8.5 Microsoft SSL v2 SSL v3 TLS Windows server 2003 Windows server 2008 Windows server 2012 Windows server 2012 R2

Why disable SSL v2 en SSL v3?

SSL 2.0 and SSL 3.0 are obsolete versions of the SSL protocol that have long since been superseded by the more secure Transport Layer Security (TLS) protocol, that offers better security. In addition, a SSL 3.0 security flaw nicknamed POODLE was discovered in 2014, allowing an attacker to completely circumvent SSL security. It is therefore highly advisable to disable those protocols on Microsoft IIS.

You'll find an overview of the different ways to disable SSL 2.0 en SSL 3.0 below.

Using IIS Crypto

IIS Crypto is a free utility for Windows Server 2003, Windows Server 2008 and Windows 2012 to modify protocols and cypher suites used in IIS. Moreover, the utility contains a shortcut allowing you to configure your web server to all currently recommended settings in one click.

Kinamo recommends that you use IIS Crypto, since not only does it disable SSL v2 and SSL v3, but also ensures your IIS configuration is in line with all SSL/TLS best practices.

Using the Registry Editor

Copy the code below in a text document and save it with a .reg extension. Double click the file, and confirm you want to modify the Windows Registry when asked if you want to do so.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]

Reboot Windows Server to finish.

Using Windows PowerShell

Execute the Windows PowerShell script below at the command-line or in System Center Configuration Manager (SCCM). Reboot your Windows Server afterwards.

$regPath1 = 'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0'
$regPath2 = 'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Server'
$regPath3 = 'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0'
$regPath4 = 'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Server'

If(!(Test-Path -Path $regPath1))
New-Item -Path $regPath1 -Force

If(!(Test-Path $regPath2))
New-Item -Path $regPath2 -Force
New-ItemProperty -Path $regPath2 -Name DisabledByDefault -PropertyType DWORD -Value "1" -Force
New-ItemProperty -Path $regPath2 -Name Enabled -PropertyType DWORD -Value "0" -Force

If(!(Test-Path $regPath3))
New-Item -Path $regPath3 -Force
If(!(Test-Path $regPath4))
New-Item -Path $regPath4 -Force
New-ItemProperty -Path $regPath4 -Name DisabledByDefault -PropertyType DWORD -Value "1" -Force
New-ItemProperty -Path $regPath4 -Name Enabled -PropertyType DWORD -Value "0" -Force

Related articles

Kinamo mail server settings (mail server cheat sheet)

The following article provides the basic settings and server names (domain names) for the Kinamo mail infrastructure. These settings allow...

Read more

Create an automatic SPAM filter in the Kinamo Webmail

This article explains how you may create a filter that will automatically place SPAM messages in a special folder, so...

Read more

Order an SSL certificate? What is an SSL certificate?

You need to order an SSL certificate? But what is an SSL certificate? And why is everyone saying that it...

Read more

Need extra help?

Were not all your questions answered?
Don't worry, we will be happy to help you via a support request!

Select your language

All languages: