Tags for this FAQ item:
IIS 5 IIS 6 IIS 7 IIS 8 IIS 8.5 Microsoft SSL v2 SSL v3 TLS Windows Server 2003 Windows Server 2008 Windows Server 2012 Windows Server 2012 R2

Help us by rating this article!

Rated 0 stars, based on 1 votes

Microsoft IIS - Disable SSL 2.0 and SSL 3.0

Last updated: 14/01/2016

SSL 2.0 and SSL 3.0 are obsolete versions of the SSL protocol that have long since been superseded by the more secure Transport Layer Security (TLS) protocol, that offers better security. In addition, a SSL 3.0 security flaw nicknamed POODLE was discovered in 2014, allowing an attacker to completely circumvent SSL security. It is therefore highly advisable to disable those protocols on Microsoft IIS.

You'll find an overview of the different ways to disable SSL 2.0 en SSL 3.0 below.

IIS Crypto is a free utility for Windows Server 2003, Windows Server 2008 and Windows 2012 to modify protocols and cypher suites used in IIS. Moreover, the utility contains a shortcut allowing you to configure your web server to all currently recommended settings in one click.

Kinamo recommends that you use IIS Crypto, since not only does it disable SSL v2 and SSL v3, but also ensures your IIS configuration is in line with all SSL/TLS best practices.

Copy the code below in a text document and save it with a .reg extension. Double click the file, and confirm you want to modify the Windows Registry when asked if you want to do so.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000

Reboot Windows Server to finish.

Execute the Windows PowerShell script below at the command-line or in System Center Configuration Manager (SCCM). Reboot your Windows Server afterwards.

$regPath1 = 'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0'
$regPath2 = 'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Server'
$regPath3 = 'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0'
$regPath4 = 'HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Server'

If(!(Test-Path -Path $regPath1))
{
New-Item -Path $regPath1 -Force
}

If(!(Test-Path $regPath2))
{
New-Item -Path $regPath2 -Force
}
New-ItemProperty -Path $regPath2 -Name DisabledByDefault -PropertyType DWORD -Value "1" -Force
New-ItemProperty -Path $regPath2 -Name Enabled -PropertyType DWORD -Value "0" -Force

If(!(Test-Path $regPath3))
{
New-Item -Path $regPath3 -Force
}
If(!(Test-Path $regPath4))
{
New-Item -Path $regPath4 -Force
}
New-ItemProperty -Path $regPath4 -Name DisabledByDefault -PropertyType DWORD -Value "1" -Force
New-ItemProperty -Path $regPath4 -Name Enabled -PropertyType DWORD -Value "0" -Force