DISABLE SSL 2.0 AND SSL 3.0 ON SERVER

Windows Server 2008 R2 is the most stable version of windows server including IIS 7.5. Currently IIS 7.5 allows SSL v2.0 and SSL v3.0, TLS 1.0 and other weak cipher suites which are now obsolete. For latest SSL to perform perfectly and the server to be more secure and powerful, we need to disable SSL v2.0 and SSL v3.0, and other weak ciphers from the server. This will also ensure that the system is completely PCI compliance as well. To disable all these, you need to perform following steps:

DISABLE SSL V2.0 AND SSL V3.0:

The SSL V2.0 and SSL V3.0 can be disabled by following given steps:
1- Click Start, click Run, type regedit, and then click OK.
2- Locate and go to following folder:

 HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

3- Right click on SSL 2.0 folder, click New and then click Key. Write name of new folder as Server.
4- Inside Server folder, right click and click on New, Add new Dword (32-Bit) Value, name it as Enabled.
5- Make sure that the value is 0x00000000 (0), if not set it to 0x00000000 (0).
6- Now right click on SSL 3.0 folder, click New and then click Key. Write name of new folder as Server.
7- Inside Server folder, right click and click on New, Add new Dword (32-Bit) Value, name it as Enabled.
8- Make sure that the value is 0x00000000 (0), if not set it to 0x00000000 (0).
9- Now restart the server so the registry values are properly implemented on the server.

DISABLE WEAK CIPHERS IN IIS 7.0

After disabling SSL v2.0 and SSL v3.0 next thing to be done is to disable weak ciphers in IIS 7.0.

1- Create a text file and name it as “weakciphers.reg” and add following code into the file.
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
 "Enabled"=dword:00000000
 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]
 "Enabled"=dword:00000000
 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
 "Enabled"=dword:00000000
 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]
 "Enabled"=dword:00000000
 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
 "Enabled"=dword:00000000
 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
 "Enabled"=dword:00000000
 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128]
 "Enabled"=dword:00000000
 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
 "Enabled"=dword:00000000
 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
 "Enabled"=dword:00000000
 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
 "Enabled"=dword:00000000
 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
"DisabledByDefault"=dword:00000001

2- Now run the reg file and reboot the server.

ENABLE TLS 1.2 ON SERVER:

The TLS 1.2 can be enabled on server by following given steps:
1- Click Start, click Run, type regedit, and then click OK.
2- Locate and go to following folder:

 HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

3- Create TLS 1.2 folder, click New and then click Key. Write name of new folder as Client.
4- Inside Client folder, right click and click on New, Add new Dword (32-Bit) Value, name it as Enabled.
5- Set the value as 0x00000001 (1), if not set it to 0x00000001 (1).
6- Inside Client folder, right click and click on New, Add new Dword (32-Bit) Value, name it as DisabledByDefault .
7- Set the value as 0x00000000 (0), if not set it to 0x00000000(0).
8- Right Click on TLS 1.2 folder, click New and then click Key. Write name of new folder as Server.
9- Now perform steps 3 to 7 for Server folder as well.
10- Now restart the server so the registry values are properly implemented on the server.

TEST THE SETTINGS:

After rebooting, you can test the server by going to following link:
https://www.ssllabs.com/ssltest/analyze.html

It will provide current results and recommendations for the server.

Hostbreak servers provide best security and are updated with modern cipher suites. Check sample of our alpha server results.

Server security report

 

If you wish to guard your website from hackers, get SSL Certificate from HostBreak today!