Microsoft IIS - Disable SSL 2.0 and SSL 3.0

Last updated on 28 Sept 2023, 10:22:56.
Category: All about SSL certificates

IIS 5 IIS 6 IIS 7 IIS 8 IIS 8.5 Microsoft SSL v2 SSL v3 TLS Windows server 2003 Windows server 2008 Windows server 2012 Windows server 2012 R2

Why disable SSL v2 en SSL v3?

SSL 2.0 and SSL 3.0 are obsolete versions of the SSL protocol that have long since been superseded by the more secure Transport Layer Security (TLS) protocol, that offers better security. In addition, a SSL 3.0 security flaw nicknamed POODLE was discovered in 2014, allowing an attacker to completely circumvent SSL security. It is therefore highly advisable to disable those protocols on Microsoft IIS.

You'll find an overview of the different ways to disable SSL 2.0 en SSL 3.0 below.

Using IIS Crypto

IIS Crypto is a free utility for Windows Server 2003, Windows Server 2008 and Windows 2012 to modify protocols and cypher suites used in IIS. Moreover, the utility contains a shortcut allowing you to configure your web server to all currently recommended settings in one click.

Kinamo recommends that you use IIS Crypto, since not only does it disable SSL v2 and SSL v3, but also ensures your IIS configuration is in line with all SSL/TLS best practices.

Using the Registry Editor

Copy the code below in a text document and save it with a .reg extension. Double click the file, and confirm you want to modify the Windows Registry when asked if you want to do so.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000

Reboot Windows Server to finish.

Using Windows PowerShell

Execute the Windows PowerShell script below at the command-line or in System Center Configuration Manager (SCCM). Reboot your Windows Server afterwards.

$regPath1 = 'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0'
$regPath2 = 'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Server'
$regPath3 = 'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0'
$regPath4 = 'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Server'

If(!(Test-Path -Path $regPath1))
{
New-Item -Path $regPath1 -Force
}

If(!(Test-Path $regPath2))
{
New-Item -Path $regPath2 -Force
}
New-ItemProperty -Path $regPath2 -Name DisabledByDefault -PropertyType DWORD -Value "1" -Force
New-ItemProperty -Path $regPath2 -Name Enabled -PropertyType DWORD -Value "0" -Force

If(!(Test-Path $regPath3))
{
New-Item -Path $regPath3 -Force
}
If(!(Test-Path $regPath4))
{
New-Item -Path $regPath4 -Force
}
New-ItemProperty -Path $regPath4 -Name DisabledByDefault -PropertyType DWORD -Value "1" -Force
New-ItemProperty -Path $regPath4 -Name Enabled -PropertyType DWORD -Value "0" -Force

Related articles

Hoe de taal van Kinamo webmail aanpassen

Dit FAQ-artikel legt uit hoe je de taal van de gebruikersinterface kunt aanpassen in Kinamo Webmail

Read more

Can I read my e-mail online (through webmail)?

Each Kinamo e-mail address can be checked through an extensive webmail e-mail client. The only thing you need are an...

Read more

Create an automatic SPAM filter in the Kinamo Webmail

Do you have an email with Kinamo? Discover here how to create a special filter via Kinamo Webmail to keep...

Read more

Need extra help?

Were not all your questions answered?
Don't worry, we will be happy to help you via a support request!

Kinamo

Select your language

All languages: