SSL 3.0 in IIS 7.0

One quirk I recently ran into was regarding SSL version 3.0 in IIS 7.0. I was under the impression that IIS defaulted to SSL 3.0 and had 2.0 disabled…this is apparently not the case. While going through a PCI audit we found that the server was still accepting SSL 2.0 connections which is apparently against the PCI guidelines. So how to change this so SSL 2.0 is disabled:

  1. On the server, run REGEDT32
  2. Create or edit the following key to disable SSL 2.0:[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Server]
  3. Reboot the server


Explore posts in the same categories: Server 2008, Tech, WebSites

2 Comments on “SSL 3.0 in IIS 7.0”

  1. MIke G Says:

    The trick did not work for my Windows Server 03 box. After a restart PCI is still returning its failed because of this “The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cr….”
    I verified everything in IIS has a certificate and is required to use SSL 128-bit.

    Now in the regisrty I only did your step 2 for 2.0/server and not 2.0/client. Do you think I should do client too? .
    Thanks for any advice.

  2. Brian Says:

    No you shouldn’t need to do the client, only the server key. Did you restart the server (not IIS service but the system itself?) If you don’t restart the change will not take effect. If it helps, here’s the official Microsoft KB on it:

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: