disabling ssl v2.0

29 Dec 2008 8:53 PM

glleon

I have a new windows web server running server 08 and IIS 7. whenever it is
scanned it is still accepting ssl v 2.0 connections and it causes us to fail
our pci compliance vulnerability scans. i have read several articles on how
to do this however my server has none of the keys in the registry that are
refered to. it only contains the key SSL 2.0 with a client subkey with a
DWORD already there that says disabled by default.. there is no server
subkey in the SSL 2.0 subkey, and no SSL 3.0, PCT 1.0 or TLS 1.0 in the
HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders
\SCHANNEL\Protocols. what am I missing?

31 Dec 2008 12:29 PM

DaveMo

On Dec 29, 12:53 pm, "glleon" <gleon***@progrexion.com> wrote:
> I have a new windows web server running server 08 and IIS 7. whenever it is
> scanned it is still accepting ssl v 2.0 connections and it causes us to fail
> our pci compliance vulnerability scans. i have read several articles on how
> to do this however my server has none of the keys in the registry that are
> refered to. it only contains the key SSL 2.0 with a client subkey with a
> DWORD already there that says disabled by default.. there is no server
> subkey in the SSL 2.0 subkey, and no SSL 3.0, PCT 1.0 or TLS 1.0 in the
> HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders
> \SCHANNEL\Protocols. what am I missing?

Some of these settings aren't present by default.
http://technet.microsoft.com/en-us/library/cc776467.aspx seems to back
that up. Simply create the subkey and set the flag to disabled and you
should be good.

You should think about using Group Policy to push this setting to your
servers if it's a compliance issue.

HTH,
Dave