How to disable SSL 2.0 and force SSL 3.0 and TLS 1.0 in IIS

If you want to change your weak encryption level and set a more secure encryption level, you can follow the following procedure:

  1. First of all, backup your registry
  2. Disable SSL 2.0:
    1. Browse to the “HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 2.0″ key.
    2. There is probably a key there called “Client”. If there is not also a key under there called “Server”, create it.
    3. Create a DWORD for the “SSL 2.0Client” sub-key called “Enabled” and set it to “0”.
    4. Create a DWORD value for the “SSL 2.0Server” subkey and set it to “0”, too. (This will disable SSL version 2.0)
  3. Enable SSL 3.0:
    1. Browse to the “HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocols” key.;
    2. If there is not a key under there called “SSL 3.0″, create it.
    3. Under “SSL 3.0″, create a key called “Client” and a key called “Server”.
    4. For both “Client” and “Server”, add a DWORD value to each called “Enabled” and set it to “1” (This will enable SSL 3.0).
  4. Enable TLS 1.0:
    1. Browse to the “HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocols” key.
    2. If there is not a key under there called “TLS 1.0″, create it.
    3. Under “TLS 1.0″, create a key called “Client” and a key called “Server”.
    4. For both “Client” and “Server”, add a DWORD value to each called “Enabled” and set it to “1” (This will enable TLS 1.0).
  5. Add support for the RC2, RC4, and 3DES ciphers:
    1. Browse to this key: “HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphers”
    2. Under “Ciphers” you will add three keys. The first is called “RC2 128/128″. The second is called “RC4 128/128″. The third is called “Triple DES 168/168″.
    3. Do not add any values or keys under the three new keys.
  6. Restart the server.

Or you could just run these commands from an administrative command-line:

REG ADD "HKLMSystemCurrentControlSetControlSecurityProvidersSChannelProtocolsSSL 2.0Server" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKLMSystemCurrentControlSetControlSecurityProvidersSChannelProtocolsSSL 2.0Client" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKLMSystemCurrentControlSetControlSecurityProvidersSChannelProtocolsSSL 3.0Server" /v Enabled /t REG_DWORD /d 1 /f
REG ADD "HKLMSystemCurrentControlSetControlSecurityProvidersSChannelProtocolsSSL 3.0Client" /v Enabled /t REG_DWORD /d 1 /f
REG ADD "HKLMSystemCurrentControlSetControlSecurityProvidersSChannelProtocolsTLS 1.0Server" /v Enabled /t REG_DWORD /d 1 /f
REG ADD "HKLMSystemCurrentControlSetControlSecurityProvidersSChannelProtocolsTLS 1.0Client" /v Enabled /t REG_DWORD /d 1 /f
REG ADD "HKLMSystemCurrentControlSetControlSecurityProvidersSChannelCiphersRC2 128/128"
REG ADD "HKLMSystemCurrentControlSetControlSecurityProvidersSChannelCiphersRC4 128/128"
REG ADD "HKLMSystemCurrentControlSetControlSecurityProvidersSChannelCiphersTriple DES 168/168"

Further Reference:

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s