How to disable SSLv2 or SSLv3?

Solution 1:

1. Open regedit

2. Navigate to, or create the keys as necessary:

   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server
   

3. Create/Edit the value Enabled, type DWORD, value "0"

4. Reboot

Notes: The same proceedure applied to key names PCT 1.0, SSL 2.0, SSL 3.0, TLS 1.0. In newer versions of Windows some of these are disabled by default - which depends on what version.

Reference: http://support.microsoft.com/kb/187498

Solution 2:

This is something you need to fix in regedit,

regedit can be opened with "start", "run", regedit

once there, find this entry:

HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0

Right-click on the SSL 2.0 folder and select New and then click Key. Name the new folder Server.

Inside the Server folder, click the Edit menu, select New, and click DWORD (32-bit) Value.

Enter Enabled as the name and hit Enter.

Ensure that it shows 0x00000000 (0) under the Data column (it should by default). If it doesn't, right-click and select Modify and enter 0 as the Value data.

Restart the computer.

a nice explanation can be found here, including how to disable other weak ciphers

https://www.sslshopper.com/article-how-to-disable-ssl-2.0-in-iis-7.html

Solution 3:

If you are not comfortable manually editing the registry, you can either use a power shell script or a GUI program to do all this for you.

There is a great script by Alexnder Hass here - Setup your IIS for SSL Perfect Forward Secrecy and TLS 1.2

I personally like to use IIS Crypto it is so easy and lets you order and choose crypto suites, ciphers etc. You can just use the 'best practices' if you are not sure what you are doing.

Also, once you are done rebooting the server, head over to SSL Labs to test your server.

Good Luck!