IIS - Disable unsecure SSL versions

SSL version 2 hasn't been used as default protocol for years now, but is often found activated to support legacy-products. However, it can also be a considerable security risk. Many websites are still using SSL version 3, but there was recently discovered a serious leak in this protocol. Thus, we strongly recommend both of them off. This can be done by changing the settings in the registry

switching off PCT 1.0:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server] "Enabled"=dword:00000000

switching off SSL 2.0:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server] "Enabled"=dword:00000000

switching off SSL 3.0:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server] "Enabled"=dword:00000000

When the protocol to disable cannot be found in the ..\SCHANNEL\Protocols\ registry tree, you can easely create it.
The steps herefor are described below, we are going to disable SSLv3 in this example:

  1. Right-click on Protocols and pick New -> Key
  2. Enter for this new key the name of the protocol that you're going to disable, e.g. SSL 3.0
  3. Right-click on the new key and again pick New -> Key
  4. Enter Server as the neme for this key
  5. Right-click on the new Server key and select New -> DWORD
  6. Enter for this DWORD as Value: Enabled.
  7. Dubbelclick on the new DWORD and check for the Value Data being 0 and click on Ok.
  8. The protocol has now been disabled in the regestry settings, the server has to be rebooted now to make the modification active.

To check whether a website allows SSL2 or SSL v3, you can issue the SSLCheck.


Our SSLCheck will examine your website's root and intermediate certificates for correctness and report any potential issues

point up