How to remove SSL 2.0 Server-Side Support from Windows Server 2008 R2

SSL 2.0 was released in 1995 but almost immediately replaced by SSL 3.0 in 1996 due to a number of security vulnerabilities. Nevertheless, Microsoft still enables server-side SSL 2.0 by default in Windows 7 and Windows Server 2008 R2… which will cause your server to fail any PCI compliance testing.

Disabling Server-Side SSL 2.0 is actually quite simple, you just need to create a key and reboot the server:

Key: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server
Name: Enabled
Value: 0


After you’ve disabled it, you can verify functionality by using this free SSL Server Test from Qualys SSL Labs.

There is no need to make any modifications to Internet Informations Services (IIS) or Threat Management Gateway (TMG)… this is strictly an operating system level function.

If you’re interested in where it’s at, Client-Side SSL 2.0 is disabled by this registry key which should already be present:

Key: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client
Name: DisabledByDefault
Value: 1

Note that you can follow the same process for just about any version of Windows since 2003.

No comments yet... Be the first to leave a reply!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s