Setting up Windows Server 2008 to use only SSL 3.0 and TLS 1.0 and disable SSL 2.0

As part of a recent penetration test it was identified that our server was
allowing SSL 2.0 which they identified as being listed as insecure. We were
required to upgrade it to SSL 3.0 or TLS 1.0 and disable SSL 2.0, and you would
think that Microsoft would make this easy, however, it took several days to find
out how to do this, as all of the other articles out there were very confusing –
so here is a step-by-step guide.

This guide uses the Windows Registry, make sure you back up the registry. I
have only performed this on Windows Server 2008 Standard Edition, Windows Server
2008 Partner Edition and Windows Server 2008 Enterprise Edition (all 64-bit). I
accept no responsibility if this goes wrong, however, from experience there are
no possible adverse effects even if you stop half way through making the
changes!

Open Regedit

Browse to

HKEY_LOCAL_MACHINE

> SYSTEM

> CurrentControlSet

> Control

> SecurityProviders

> Schannel

> Protocols

> SSL 2.0

 

You will find two folders in this folder called Client and
Server

Click on the Client sub-folder
You will see one item DisabledByDefault REG_DWORD with a Value of 1

Create a new DWORD (32-bit) Value

Name it Enabled and set the value to 0
(This is the default value anyway)

Click on the Server sub-folder

Create a new DWORD (32-bit) Value

Name it Enabled and set the value to 0
(This is the default value anyway)

Right-click on the Protocols folder, and choose New
Key

Leave a Reply