How to remove SSL 2.0 Server-Side Support from Windows Server 2008 R2

SSL 2.0 was released in 1995 but almost immediately replaced by SSL 3.0 in 1996 due to a number of security vulnerabilities. Nevertheless, Microsoft still enables server-side SSL 2.0 by default in Windows 7 and Windows Server 2008 R2… which will cause your server to fail any PCI compliance testing.

Disabling Server-Side SSL 2.0 is actually quite simple, you just need to create a key and reboot the server:

Key: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server
Name: Enabled
Value: 0

Disable_SSL_2

After you’ve disabled it, you can verify functionality by using this free SSL Server Test from Qualys SSL Labs.

There is no need to make any modifications to Internet Informations Services (IIS) or Threat Management Gateway (TMG)… this is strictly an operating system level function.

If you’re interested in where it’s at, Client-Side SSL 2.0 is disabled by this registry key which should already be present:

Key: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client
Name: DisabledByDefault
Value: 1

Note that you can follow the same process for just about any version of Windows since 2003.

About Rebecca Harness

Rebecca Harness is a Business Information Security Officer (BISO) for a publicly-traded, global information solutions company. As BISO, she champions security initiatives and recommends strategies to mitigate risk, facilitating innovation and new product development. She’s also responsible for representing the business unit’s security program in client facing engagements, conferences, and industry forums. Prior to her current role, she was an influential cybersecurity leader for one of the world’s largest transportation providers, known for transforming information security efforts into well-orchestrated programs. There, she developed an innovative methodology for delivering key information security priorities as a service model, leading to quicker adoption enterprise-wide while significantly reducing operational costs. She also led and modernized their global, multi-brand PCI Assessment and other compliance initiatives. In the early 2000’s, Rebecca developed one of St. Louis' leading Managed Services Providers from a startup in a spare bedroom into a mature consulting company with 30+ employees and 150+ clients in the Greater St. Louis Area. Rebecca holds many certifications, including; ISACA Certified Information Systems Auditor (CISA); ISC2 Certified Information Systems Security Professional (CISSP); and GIAC Security Leadership Certified (GSLC). She’s also a proud alumni of Hastings College and a longtime member of the Society of American Magicians.

No comments yet... Be the first to leave a reply!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s