Problem

How to disable SSL 2.0 and SSL 3.0 on Windows Server 2008 R2?

Solution

QuoVadis strongly recommends disabling the SSL 2.0 and the SSL 3.0 protocols on your server.  Both SSL 2.0 and 3.0 protocols have numerous vulnerabilities.This KB article will describe the process to disable them.

1. Start the registry editor by clicking on Start and Run. Type in "regedit" into the Run field (without quotations).


2. Highlight Computer at the top of the registry tree.  Backup the registry first by clicking on File and then on Export.  Select a file location to save the registry file.

Note: You will be editing the registry.  This could have detrimental effects on your computer if done incorrectly, so it is strongly advised to make a backup.


3. Browse to the following registry key:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols Note: Keys in the registry are similar to folders.  The following steps will mention various keys. If you find that that key is missing, you can simply add it by right-clicking on the parent key and selecting New and then Key from the drop-down menu.


4. Expand the Protocols key.
5. Expand (or create) the SSL 2.0 key and click on the Client key underneath it. If there is no Client key, you can create it underneath the SSL 2.0 key.
6. Check for the DWORD named Enabled on the right panel and ensure that it shows 0x00000000 in the Data column. If it doesn't show this value, right-click on Enabled and select Modify... from the drop-down list and set the Value data to 1 and ensure that Base has Hexadecimal selected.
7. Underneath the SSL 2.0 key, right-click on the Server key underneath it. If there is no Server key, you can create it underneath the SSL 2.0 key.
8. Check for the DWORD named Enabled on the right panel and ensure that it shows 0x00000000 in the Data column. If it doesn't show this value, right-click on Enabled and select Modify... from the drop-down list and set the Value data to 1 and ensure that Base has Hexadecimal selected.
9. Underneath the Protocols key, expand (or create) the SSL 3.0 key and click on the Client key underneath it. If there is no Client key, you can create it underneath the SSL 2.0 key.
10. Check for the DWORD named Enabled on the right panel and ensure that it shows 0x00000000 in the Data column. If it doesn't show this value, right-click on Enabled and select Modify... from the drop-down list and set the Value data to 1 and ensure that Base has Hexadecimal selected.
11. Underneath the SSL 3.0 key, right-click on the Server key underneath it. If there is no Server key, you can create it underneath the SSL 3.0 key.
12. Check for the DWORD named Enabled on the right panel and ensure that it shows 0x00000000 in the Data column. If it doesn't show this value, right-click on Enabled and select Modify... from the drop-down list and set the Value data to 1 and ensure that Base has Hexadecimal selected.
    
13. Reboot the server.

SSL 2.0 and SSL 3.0 have both been disabled on your server.

Windows Server 2003

This procedure can be used on a Windows Server 2003 server (IIS 6).  You may find that some of the keys mentioned above will already be created.  On Windows Server 2003, instead of setting the Enabled Value date to 1, you will need to set it to 0xffffffff for it to be true.  The applies for all 'Yes' configuration throughout the server.

Reverting Back

If you make a mistake or something just isn't right, you can revert back to your previous registry settings by opening the Registry Editor and importing the backup you made in step x.