Scribd Logo
Carica

Benvenuto in Scribd!

  • How To Disable SSL 2.0 and SSL 3

    Caricato da

    christian.razvan
    32 visualizzazioni5 pagine
    How to Disable SSL 2.0 and SSL 3 for use in IIS - Microsoft webserver

    Titolo originale

    How to Disable SSL 2.0 and SSL 3

    Copyright

    © © All Rights Reserved

    Formati disponibili

    PDF, TXT o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento
    How to Disable SSL 2.0 and SSL 3 for use in IIS - Microsoft webserver

    Copyright:

    © All Rights Reserved
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    32 visualizzazioni5 pagine

    How To Disable SSL 2.0 and SSL 3

    Caricato da

    christian.razvan
    How to Disable SSL 2.0 and SSL 3 for use in IIS - Microsoft webserver

    Copyright:

    © All Rights Reserved
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    di 5

    19.08.

    2016

    HowtoDisableSSL2.0andSSL3.0inIIS7

    Home

    SSLWizard

    SSLFAQ

    SSLReviews

    SSLNews

    SSLTools

    HowtoDisableSSL2.0andSSL3.0inIIS7
    WindowsServer2008usingIIS7allowsSSL2.0andSSL3.0bydefault.Unfortunately,this
    meansyouwillfailaPCICompliancescanbydefault.Toproperlysecureyourserverandensure
    thatyoupassyourPCIDSSscans,youwillneedtodisableSSL2.0anddisableweakciphers.In
    ordertodisableSSL2.0andSSL3.0inIIS7andmakesurethatthestrongerTLS1.0isused,
    followtheseinstructions:
    1.ClickStart,clickRun,typeregedit,andthenclickOK.
    2.InRegistryEditor,locatethefollowingregistrykey/folder:
    HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
    3.RightclickontheSSL2.0folderandselectNewandthenclickKey.Namethenewfolder
    Server.
    4.InsidetheServerfolder,clicktheEditmenu,selectNew,andclickDWORD(32bit)
    Value.
    5.EnterEnabledasthenameandhitEnter.
    6.Ensurethatitshows0x00000000(0)undertheDatacolumn(itshouldbydefault).Ifit
    doesn't,rightclickandselectModifyandenter0astheValuedata.
    7.NowtodisableSSL3.0,rightclickontheSSL3.0folderandselectNewandthenclick
    Key.NamethenewfolderServer.
    8.InsidetheServerfolder,clicktheEditmenu,selectNew,andclickDWORD(32bit)
    Value.
    9.EnterEnabledasthenameandhitEnter.
    10.Ensurethatitshows0x00000000(0)undertheDatacolumn(itshouldbydefault).Ifit
    doesn't,rightclickandselectModifyandenter0astheValuedata.
    11.Restartthecomputer.
    12.VerifythatnoSSL2.0orSSL3.0ciphersareavailableatServerSniff.netorthePublicSSL
    ServerDatabase

    Note:ThisprocessisessentiallythesameonanIIS6(WindowsServer2003)machine.
    Normally,theServerkeyunderSSL2.0willalreadybecreatedsoyouwilljustneedtocreatea
    newDWORDvalueunderitandnameitEnabled.
    Formoreinformation,readMicrosoft'sKnowledgebasearticleonhowtodisableSSL2.0and
    otherprotocolsinIIS7.

    CompareSSLCertificates

    DisableWeakCiphersInIIS7.0
    InadditiontodisablingSSL2.0,youcandisablesomeweakciphersbyeditingtheregistryin
    thesameway.Tospeeduptheprocess,youcanpastethefollowingintoatextfileandnameit
    disableWeakCiphers.reg,thendoubleclickit.

    WindowsRegistryEditorVersion5.00
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES56
    https://www.sslshopper.com/articlehowtodisablessl2.0iniis7.html

    1/5

    19.08.2016

    HowtoDisableSSL2.0andSSL3.0inIIS7

    "Enabled"=dword:00000000
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]
    "Enabled"=dword:00000000
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC240
    "Enabled"=dword:00000000
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC256
    "Enabled"=dword:00000000
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC440
    "Enabled"=dword:00000000
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC456
    "Enabled"=dword:00000000
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC464
    "Enabled"=dword:00000000
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT
    "Enabled"=dword:00000000
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL
    "Enabled"=dword:00000000
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL
    "Enabled"=dword:00000000
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL
    "DisabledByDefault"=dword:00000001

    OriginallypostedonSunOct19,2008

    23Comments

    SSLShopper

    Recommend

    Share

    Login

    SortbyBest

    Jointhediscussion
    gary2yearsago

    RegistrycommandsDidnotdisableanything.Isuccessfullyusedtheinstructionstoinstall
    theseregistrysettingsandrestartedIIS.IranthedigicertSSLcheckertestandittellsmeI
    stillhavetheversion3problem.Server2008r2IIS7.5.7600
    2

    Reply Share
    AlexLewis>gary2yearsago

    Gary,theseregistrychangesrequirearebootofWindowsnotjustanIISrestart.
    1

    Reply Share

    Highman2yearsago

    Ihadtoprependthefollowingsnippetintoyour.regfileasthefirstlinetogetittowork:
    WindowsRegistryEditorVersion5.00
    2

    Reply Share

    Karlayearago

    HI,
    IdonthaveanSSL3.0folder,doIignorethissteporcreatethefolderandaddtheentry.
    Thanksforthedetailsofhowtodothis,notrebootedyet,butIassumewillwork,betterthan
    theMSfixthatsaidThisMicrosoftfixdoesnotapplytoyourOS!!!
    Cheers
    Karl

    Reply Share
    ARPANET2yearsago

    Cheers:)Workedatreat.ForthosethatwanttoenableTLS1.1andTLS1.2whiletheyare
    atit,hereyougo(Mustbe2008ornewer):
    https://www.sslshopper.com/articlehowtodisablessl2.0iniis7.html

    2/5

    19.08.2016

    HowtoDisableSSL2.0andSSL3.0inIIS7

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protoc
    1.1]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protoc
    1.1\Client]
    "DisabledByDefault"=dword:00000000
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protoc
    1.1\Server]
    "Enabled"=dword:00000001
    "DisabledByDefault"=dword:00000000
    seemore

    Reply Share
    Russell2yearsago

    Anothergreatresourcewithasolidpowershellscriptishttp://www.hass.de/content/set...

    Reply Share
    Fireball2yearsago

    IfwedisableallciphersabovedoweneedtoaddAES128/128or256assomethingthatis
    availableduringthehandshake?

    Reply Share
    vinoth2yearsago

    Ywearedisablingonlyinserverandnotinclientfolder?repliespls

    Reply Share
    Wayne2yearsago

    Forpeoplesayingitdidntwork:pleasekeepinmindyouhavetofullyreboottoimplement
    registrychanges.RestartingIISisn'tenough.

    Reply Share
    Ska2yearsago

    AlsoformeitdidnotworkinIIS,withWindowsServer2012

    Reply Share
    KeithDavis2yearsago

    I'vefollowedthesedirectionsandhttp://poodlebleed.com/stillstatesthatSSL3.0is
    enabled.

    Reply Share
    David2yearsago

    Figureditout.CitrixCSGwaskeepingtheportopened.Whenreconfiguredallok.

    Reply Share
    Phil2yearsago

    Thankyou,veryhelpful.

    Reply Share
    Jean2yearsago

    IfIdothisaboveandIdon'tseetheSSL3.0intheregistryasbeingenabledshouldIadd
    thatbeforeIdisablethe2.0somycertificateswon'tbeimpacted?

    Reply Share
    https://www.sslshopper.com/articlehowtodisablessl2.0iniis7.html

    3/5

    19.08.2016

    HowtoDisableSSL2.0andSSL3.0inIIS7
    Wrap2tyt2yearsago

    Tobeclear...IneedtodisablesupportforSSLServerCBCCiphersforTLSv1&SSLv3
    ANDsupportforSSLServerSupportsWeakMACAlgorithmsforSSLv3&TLSv1onboth
    Windows2003and2008servers.Iunderstandhowtoedittheregistrykeyshoweverwhich
    ofthedescriptionsabovearespecifictoWindows2003?
    Thanks

    Reply Share
    LokmanRazak2yearsago

    AsmentionedinReply#5,Ihadaproblemwheretheregfileisnotaddingtheregistry.Igot
    thewarning"Thespecifiedfileisnotaregistryscript".Thiscanbefixedbyaddingthe
    followingtextinthefirstlineoftheregfile:
    WindowsRegistryEditorVersion5.00
    Goodluck!

    Reply Share
    MichaelAdams2yearsago

    PeraDigiCertguideondisablingSSLv3,youalsoneedtoaddthefollowing...

    &#91HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Pr
    3.0\Client&#93
    "DisabledByDefault"=dword:00000001

    Reply Share
    Groovejets2yearsago

    Thanksforpublishingthisjustimplementednow.YousavedmealongsearchIam
    guessing.WefailedtheQualysscan

    Reply Share
    Marco2yearsago

    Thanksforyourarticle.Veryhelpful

    Reply Share
    Spryor2yearsago

    ThanksforsharingyourarticleondisablingweakciphersandSSL2.0,veryhelpful.

    Reply Share
    Toby2yearsago

    Cameacrossyoursitewhiletryingtofixissueswithourscorefromssllabs.com
    Justwantedtosaythankyoufortheinfoandtheregistrydatatodisabletheweakciphers
    forIIS7

    Reply Share
    David2yearsago

    IgetthesameasGary,onWindows2008R2IIS7.5.7600.I'verunthroughthisandhave
    compareditmultipleoverwebsitesallsayingthesamething.ItsaysSSL3.0isstill
    enabled.

    Help!!

    Reply Share
    https://www.sslshopper.com/articlehowtodisablessl2.0iniis7.html

    4/5

    19.08.2016

    HowtoDisableSSL2.0andSSL3.0inIIS7
    Jeremy>David9monthsago

    Iwentthroughthislastyear,anditturnedoutthattheloadbalancerhadanSSL
    certificateandprotocolsettingsthatneededtobeupdated.Idon'tknowthedetails
    ofthesettings,butitwasn'tonthewebserveratall.

    Reply Share
    Subscribe d AddDisqustoyoursiteAddDisqusAdd

    Home

    SSLWizard

    SSLFAQ

    SSLReviews

    SSLNews

    Privacy

    SiteMap

    About

    SSLTools

    2016SSLShopper|SSLComparison|AllRightsReserved

    https://www.sslshopper.com/articlehowtodisablessl2.0iniis7.html

    5/5

    Potrebbero piacerti anche