IIS - Disable unsecure SSL versions
Older protocol versions like SSLv2, SSLv3 and TLS1.0 aren't used as default protocol for years now, but they are often found activated to support legacy-products still. This can be a considerable security risk. Thus, we strongly recommend both of them off. This can be done by changing the settings in the registry.
switching off PCT 1.0:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
"Enabled"=dword:00000000
switching off SSL 2.0:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000
switching off SSL 3.0:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:00000000
switching off TLS 1.0:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"Enabled"=dword:00000000
switching off TLS 1.1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"Enabled"=dword:00000000
When the protocol to disable cannot be found in the ..\SCHANNEL\Protocols\ registry tree, you can easely create it.
The steps herefore are described below, we are going to disable SSLv3 in this example:
- Right-click on Protocols and pick New -> Key
- Enter for this new key the name of the protocol that you're going to disable, e.g. SSL 3.0
- Right-click on the new key and again pick New -> Key
- Enter Server as the neme for this key
- Right-click on the new Server key and select New -> DWORD
- Enter for this DWORD as Value: Enabled.
- Dubbelclick on the new DWORD and check for the Value Data being 0 and click on Ok.
- The protocol has now been disabled in the regestry settings, the server has to be rebooted now to make the modification active.
To check whether a website allows older protocols, you can do a SSLCheck.
SSLCheck
Our SSLCheck will examine your website's root and intermediate certificates for correctness and report any potential issues