Older SSL protocols (SSLv2 and SSLv3) contain critical vulnerabilities like POODLE and DROWN that can compromise data security. Modern security standards require disabling these outdated protocols while enabling TLS 1.2 or higher.
The most reliable method involves Windows Registry edits. Create these entries under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] "Enabled"=dword:00000001
For server administrators managing multiple machines, here's a PowerShell script to automate the process:
# Disable SSLv2/SSLv3 and enable TLS 1.2
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -Force |
New-ItemProperty -Name 'Enabled' -Value 0 -PropertyType 'DWord' -Force
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -Force |
New-ItemProperty -Name 'Enabled' -Value 0 -PropertyType 'DWord' -Force
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force |
New-ItemProperty -Name 'Enabled' -Value 1 -PropertyType 'DWord' -Force
# Restart the server to apply changes
Restart-Computer -Force
After implementation, verify your settings using OpenSSL:
openssl s_client -connect yourserver.com:443 -ssl2 # Should fail openssl s_client -connect yourserver.com:443 -ssl3 # Should fail openssl s_client -connect yourserver.com:443 -tls1_2 # Should succeed
For GUI lovers, the free IIS Crypto tool provides checkboxes for each protocol version with immediate effect after reboot.
Modern security standards demand the disabling of vulnerable protocols like SSLv2 and SSLv3 due to well-documented exploits (POODLE, DROWN, etc.). IIS 7.5 administrators often need to enforce TLS-only connections while maintaining backward compatibility where absolutely necessary.
The most reliable method involves Windows Registry edits. Create these keys if they don't exist:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server] "Enabled"=dword:00000001
For server farms or automated deployments, use this PowerShell script:
Function Set-SslProtocol {
param(
[Parameter(Mandatory=$true)]
[ValidateSet("SSL 2.0","SSL 3.0","TLS 1.0","TLS 1.1","TLS 1.2")]
[string]$Protocol,
[Parameter(Mandatory=$true)]
[ValidateSet("Server","Client")]
[string]$Type,
[Parameter(Mandatory=$true)]
[bool]$Enabled
)
$basePath = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$Protocol\$Type"
if(-not (Test-Path $basePath)) {
New-Item -Path $basePath -Force | Out-Null
}
Set-ItemProperty -Path $basePath -Name "Enabled" -Value $([int]$Enabled) -Type DWord
}
# Disable vulnerable protocols
Set-SslProtocol -Protocol "SSL 2.0" -Type "Server" -Enabled $false
Set-SslProtocol -Protocol "SSL 3.0" -Type "Server" -Enabled $false
# Enable modern TLS
Set-SslProtocol -Protocol "TLS 1.2" -Type "Server" -Enabled $true
After making changes:
- Reboot the server or restart IIS (net stop WAS / net start W3SVC)
- Test with OpenSSL:
openssl s_client -connect yourserver:443 -ssl2(should fail) - Use SSL Labs' test tool: https://www.ssllabs.com/ssltest/
For ASP.NET applications, ensure these settings in web.config:
<system.web> <httpRuntime targetFramework="4.7.2" /> </system.web>
And in applicationHost.config:
<system.webServer>
<security>
<access sslFlags="Ssl, SslNegotiateCert" />
</security>
</system.webServer>