IIS - Disable unsecure SSL versions
SSL version 2 hasn't been used as default protocol for years now, but is often found activated to support legacy-products. However, it can also be a considerable security risk. Many websites are still using SSL version 3, but there was recently discovered a serious leak in this protocol. Thus, we strongly recommend both of them off. This can be done by changing the settings in the registry
switching off PCT 1.0:
switching off SSL 2.0:
switching off SSL 3.0:
When the protocol to disable cannot be found in the ..\SCHANNEL\Protocols\ registry tree, you can easely create it.
The steps herefor are described below, we are going to disable SSLv3 in this example:
- Right-click on Protocols and pick New -> Key
- Enter for this new key the name of the protocol that you're going to disable, e.g. SSL 3.0
- Right-click on the new key and again pick New -> Key
- Enter Server as the neme for this key
- Right-click on the new Server key and select New -> DWORD
- Enter for this DWORD as Value: Enabled.
- Dubbelclick on the new DWORD and check for the Value Data being 0 and click on Ok.
- The protocol has now been disabled in the regestry settings, the server has to be rebooted now to make the modification active.
To check whether a website allows SSL2 or SSL v3, you can issue the SSLCheck.