As most everyone has heard SSL 2.0 has been compromised. Most PCI certification authorities are requiring SSL 2.0 to be disabled. I am sure with poodle SSL 3.0 is not far behind but that is for another article.
I have written the following batch file to make all the needed changes and save some legwork.
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 2.0\Server" /v Enabled /t REG_DWORD /d 0 /f REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 2.0\Client" /v Enabled /t REG_DWORD /d 0 /f REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 3.0\Server" /v Enabled /t REG_DWORD /d 1 /f REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 3.0\Client" /v Enabled /t REG_DWORD /d 1 /f REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\TLS 1.0\Server" /v Enabled /t REG_DWORD /d 1 /f REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\TLS 1.0\Client" /v Enabled /t REG_DWORD /d 1 /f
Just copy and past the code into a text editor such as notepad and save the file as a .cmd and run as administrator. reboot your server and you are all set to go.
Now for all you folks who like to do things the old fashioned way here is the documentation to do it manually using regedit.
regedit can be opened with “start”, “run”, regedit
once there, find this entry:
HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0
Right-click on the SSL 2.0 folder and select New and then click Key. Name the new folder Server.
Inside the Server folder, click the Edit menu, select New, and click DWORD (32-bit) Value.
Enter Enabled as the name and hit Enter.
Ensure that it shows 0x00000000
(0) under the Data column (it should by default). If it doesn’t, right-click and select Modify and enter 0 as the Value data.
regedit can be opened with “start”, “run”, regedit
once there, find this entry:
HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0
Right-click on the SSL 3.0 folder and select New and then click Key. Name the new folder Server.
Inside the Server folder, click the Edit menu, select New, and click DWORD (32-bit) Value.
Enter Enabled as the name and hit Enter.
right-click and select Modify and enter 1 as the Value data.
regedit can be opened with “start”, “run”, regedit
once there, find this entry:
HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0
Right-click on the TLS 1.0 folder and select New and then click Key. Name the new folder Server.
Inside the Server folder, click the Edit menu, select New, and click DWORD (32-bit) Value.
Enter Enabled as the name and hit Enter.
right-click and select Modify and enter 1 as the Value data.
Restart the computer.
Now we need to test an make sure our work was successful. you can accomplish this a coule of different ways. I personally use the easy way of going to the following website and entering my web servers address.
https://foundeo.com/products/iis-weak-ssl-ciphers/test.cfm
if all is successful you should see that ssl2.0 is disabled and ssl 3.0 and tls 2.0 are enabled.