Turn off SSLv2 and Weak ciphers

Recently running some security checking of one of my web site and found out that getting the alert of deprecated SSLv2.0 protocol still enabled on my server. This is also one of the requirement from Payment Card Industry Data Security Standrad (PCI-DSS) v1.2.

So I spend sometime to Google it and go through some forum + blog, finally found out the solution to turn it off, but microsoft not providing the UI way to do that, have to manually go to registry and edit it by our self. How to check is my server are enable the SSLv2?

There are many way to check the configuration including using the Open SSL (I’m not too familiar with the OpenSSL so i use the alternative way – web). You may go to Serversniff.net, enter your web domain or IP address of your server which enabled the port 443 or you may edit the port number if you not using the standard SSL port of 443. After all, just click on SSL-Check.

How to disabled the SSL2.0 in window server 2003?

1.  Click Start, click Run, type regedit, and then click OK.
2. In Registry Editor, locate the following registry key/folder: HKey_Local_Machine/System/CurrentControlSet/Control/SecurityProviders/SCHANNEL/Protocols/SSL 2.0
3. Right-click on the SSL 2.0 folder and select New and then click Key. Name the new folder Server.
4. Inside the Server folder, click the Edit menu, select New, and click DWORD (32-bit) Value.
5. Enter Enabled as the name and hit Enter.
6. Ensure that it shows 0x00000000 (0) under the Data column (it should by default). If it doesn’t, right-click and select Modify and enter 0 as the Value data.
7. Restart the computer.
8. Verify that no SSL 2.0 ciphers are available at Serversniff.net or the Public SSL Server Database

Registry key location which you may need to touch on

[HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/SecurityProviders/SCHANNEL/Ciphers/DES 56/56] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/SecurityProviders/SCHANNEL/Ciphers/NULL] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/SecurityProviders/SCHANNEL/Ciphers/RC2 40/128] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/SecurityProviders/SCHANNEL/Ciphers/RC2 56/128] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/SecurityProviders/SCHANNEL/Ciphers/RC4 40/128] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/SecurityProviders/SCHANNEL/Ciphers/RC4 56/128] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/SecurityProviders/SCHANNEL/Ciphers/RC4 64/128] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/SecurityProviders/SCHANNEL/Protocols/PCT 1.0/Server] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/SecurityProviders/SCHANNEL/Protocols/SSL 2.0/Server] "Enabled"=dword:00000000