How to disable SSL 2.0 and force SSL 3.0 and TLS 1.0 in IIS

If you want to change your weak encryption level and set a more secure encryption level, you can follow the following procedure:

1. First of all, backup your registry
2. Disable SSL 2.0:
   1. Browse to the “HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 2.0″ key.
   2. There is probably a key there called “Client”. If there is not also a key under there called “Server”, create it.
   3. Create a DWORD for the “SSL 2.0Client” sub-key called “Enabled” and set it to “0”.
   4. Create a DWORD value for the “SSL 2.0Server” subkey and set it to “0”, too. (This will disable SSL version 2.0)
3. Enable SSL 3.0:
   1. Browse to the “HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocols” key.;
   2. If there is not a key under there called “SSL 3.0″, create it.
   3. Under “SSL 3.0″, create a key called “Client” and a key called “Server”.
   4. For both “Client” and “Server”, add a DWORD value to each called “Enabled” and set it to “1” (This will enable SSL 3.0).
4. Enable TLS 1.0:
   1. Browse to the “HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocols” key.
   2. If there is not a key under there called “TLS 1.0″, create it.
   3. Under “TLS 1.0″, create a key called “Client” and a key called “Server”.
   4. For both “Client” and “Server”, add a DWORD value to each called “Enabled” and set it to “1” (This will enable TLS 1.0).
5. Add support for the RC2, RC4, and 3DES ciphers:
   1. Browse to this key: “HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphers”
   2. Under “Ciphers” you will add three keys. The first is called “RC2 128/128″. The second is called “RC4 128/128″. The third is called “Triple DES 168/168″.
   3. Do not add any values or keys under the three new keys.
6. Restart the server.

Or you could just run these commands from an administrative command-line:

REG ADD "HKLMSystemCurrentControlSetControlSecurityProvidersSChannelProtocolsSSL 2.0Server" /v Enabled /t REG_DWORD /d 0 /f

REG ADD "HKLMSystemCurrentControlSetControlSecurityProvidersSChannelProtocolsSSL 2.0Client" /v Enabled /t REG_DWORD /d 0 /f

REG ADD "HKLMSystemCurrentControlSetControlSecurityProvidersSChannelProtocolsSSL 3.0Server" /v Enabled /t REG_DWORD /d 1 /f

REG ADD "HKLMSystemCurrentControlSetControlSecurityProvidersSChannelProtocolsSSL 3.0Client" /v Enabled /t REG_DWORD /d 1 /f

REG ADD "HKLMSystemCurrentControlSetControlSecurityProvidersSChannelProtocolsTLS 1.0Server" /v Enabled /t REG_DWORD /d 1 /f

REG ADD "HKLMSystemCurrentControlSetControlSecurityProvidersSChannelProtocolsTLS 1.0Client" /v Enabled /t REG_DWORD /d 1 /f

REG ADD "HKLMSystemCurrentControlSetControlSecurityProvidersSChannelCiphersRC2 128/128"

REG ADD "HKLMSystemCurrentControlSetControlSecurityProvidersSChannelCiphersRC4 128/128"

REG ADD "HKLMSystemCurrentControlSetControlSecurityProvidersSChannelCiphersTriple DES 168/168"

Further Reference:

• How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dll (Microsoft Support)
• How to disable PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0 in Internet Information Services (Microsoft Support)

Advertisement