How do I disable SSL 2.0 in Windows Server?

My Problem:

I have a client that needs to pass PCI security scan on their office WAN. Their WAN has some NAT rules that forward certain protocols to their internal SBS 2011 server. The scan is failing in part because SBS 2011 allows SSL 2.0 communication for the user portal while SSL 3.0 or TLS 1.0 and above are required for a passing grade for this specific PCI scan.

My Solution:

You’ll need to do some registry editing and then reboot the server. Make sure you have good backups and a service window where the server can be done. Then read and observe Microsoft KB187498. Or if you’re too lazy to click a link, read and do this:

  1. Open regedit and navigate to the following registry key: HKEY_LOCAL_MACHINESystemCurrentControlSetControl SecurityProvidersSCHANNELProtocolsSSL 2.0
  2. Create a new key and name it Server
  3. Under that new key, create a new DWORD (32-bit) value and name it “Enabled” with the value of 0.
  4. Close everything and reboot the server.

To test and verify, I recommend reading my blog post “<a href=””>How Can I Determine What SSL/TLS Versions Are Available for HTTPS Communication?</a>” Running the command openssl s_client -connect -ssl2 returned the following result, proving that SSL 2.0 was no longer an option on that server.

no peer certificate available
No client certificate CA names sent
SSL handshake has read 0 bytes and written 45 bytes
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
    Protocol  : SSLv2
    Cipher    : 0000
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1392250044
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

SSL 3.0 and beyond is enabled by default in Windows Server 2008 and beyond, so most SSL communications would be SSL 3.0, however the option for 2.0 did exist and can cause some PCI scans to fail if the server is publicly accessible.


Leave a Reply

Follow TheNubbyAdmin!

follow us in feedly

Raw RSS Feed:

Contact Me!

Want to hire me as a consultant? Have a job you think I might be interested in? Drop me a line:

Contact Me!

Subscribe via Email

Your email address is handled by Google FeedBurner and never spammed!

The Nubby Archives

Circle Me on Google+!

Photos from Flickr

Me on StackExchange

The IT Crowd Strava Group

%d bloggers like this: