locked
Disable SSL v2 in IIS7? RRS feed

  • Question

  • User-189778016 posted

    I saw and read http://support.microsoft.com/kb/187498

     It states that it is the same for IIS 7 on 2K8, but when I looked in the registry I only saw the Key for SSL 2.0 and no other versions, then expanding that key there is a client subkey but no server subkey. So I created the server subkey and added the Enabled DWORD with a value of 000000 (aka 0) like the kb article states, rebooted, and SSL V2 is still working. Anyone have ideas?

     Thanks in advance

    Thursday, September 18, 2008 1:20 AM

Answers

  • User1073881637 posted

    You have to create it like the article says and reboot.    Here is what mine look like locally on my IIS 7 box. 

    Disclaimer :) The normal legal stuff, 1) Backup the registry, 2) test on a non-production box.  I hold no responsibility for deploying this in your environment. :

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\PCT 1.0]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\PCT 1.0\Server]
    "Enabled"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Client]
    "DisabledByDefault"=dword:00000000
    "Enabled"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Server]
    "Enabled"=dword:00000000

     

    • Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM
    Thursday, September 18, 2008 2:16 PM

All replies

  • User1073881637 posted

    You have to create it like the article says and reboot.    Here is what mine look like locally on my IIS 7 box. 

    Disclaimer :) The normal legal stuff, 1) Backup the registry, 2) test on a non-production box.  I hold no responsibility for deploying this in your environment. :

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\PCT 1.0]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\PCT 1.0\Server]
    "Enabled"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Client]
    "DisabledByDefault"=dword:00000000
    "Enabled"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Server]
    "Enabled"=dword:00000000

     

    • Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM
    Thursday, September 18, 2008 2:16 PM
  • User-310634600 posted

    Sorry, but, that does not appear to work for windows 2008. (it works for Windows 2003)

     

    Sunday, August 2, 2009 12:57 AM
  • User-630838728 posted

    We are also having trouble getting this to work with Server 2008 R2, although the registry keys exist in the same pattern it continues to make SSL2 available.

     This is a significant PCI issue of course...

    Tuesday, September 29, 2009 8:48 AM
  • User1073881637 posted

    http://support.microsoft.com/?id=187498

    Did you try this?

    Wednesday, September 30, 2009 9:44 PM
  • User303023370 posted

    I assume your refrences to DWORD in your advice is for 32bit machines. Would I be correct that people with 64bit machines should be setting QWORD to zero?

    Monday, October 26, 2009 5:12 PM
  • User-2080158005 posted

    I had the same or let say very similar problem under Windows 2008 x64 and Windows 2008 R2
     
    I was trying to disable SSL 2.0 and in the same time enable SSL 3.0 and TLS 1.0.
     
    I did try to just disable SSL 2.0 but with no luck what so ever.
     
    Below instructions how I've done it:
     
    (MAKE SURE THAT YOU BACKUP YOUR REGISTRY BEFORE APPLYING THOSE CHANGES)
     
    • Using regedit to add the following keys ( right click on protocols -> new -> key -> "SSL 2.0"  then  "SSL 3.0" then "TLS 1.0" )
     
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0
     
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0
     
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0
     
    • Under each of the keys above you need to create additional keys "Client" and "Server"
     
    For SSL 2.0: 
     
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client
     
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server
     
    For SSL 3.0: 
     
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client
     
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server
     
    For TLS 1.0: 
     
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client
     
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server
     
    • Then you will have to create DWORD (32bit) value called "Enabled" under each "Client" and "Server" key for "SSL 2.0, SSL 3.0 and TLS 1.0"
     
    DWORD (32bit) Value
     
    Value name = Enabled
     
    Value date = 0
     
    Value date can be set to "1" - Enabled or "0" – Disabled
     
    In my scenario the values were "enabled" (set to 1) for SSL 3.0 and TLS 1.0 and "disabled" (set to 0) for SSL 2.0
     
    • Next step is to add correct Ciphers, to do so you will have to navigate to the following key in the registry
     
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers
     
    • (right click on "Cliphers" New -> Key)
     
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128
     
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128
     
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168
     
    • That's all! Now you need to restart your server to apply those changes.
     
    • If you are using TMG 2010 or ISA 2006 to publish the website externally you will need to apply exactly the same settings to registry to it.
     

    Please accept my apologies for my English, but I hope I've managed to help you guys.

    Thursday, November 19, 2009 2:26 PM
  • User303023370 posted

    Thanks Pawel, I can report I have tried this on our server and your solution works. Thank you.

    Monday, November 23, 2009 11:07 AM
  • User-2080158005 posted

    That's superb! Thanks for leting me know.

    Kind Regards

    Pawel Dolny

    Wednesday, November 25, 2009 7:46 PM
  • User1568067606 posted

    Is there an alternative to restarting the server? Can IIS just be reycled? Or some other service(s)?

    Wednesday, January 13, 2010 10:20 AM
  • User-2080158005 posted

    You can try "iisreset" from the command line but I'm not sure if that's all you have to do.

    Regards

    Pawel Dolny

    Wednesday, January 13, 2010 10:31 AM
  • User2026798962 posted

    Hi Pawel, thanks for the excellent instructions. Is "Triple DES 168/168" considered strong? Can I just use the RC2 and RC4 ciphers or will I have issues?

     

    Thanks!

    Tuesday, March 2, 2010 3:38 PM
  • User-2080158005 posted
    The Triple DES in not new on the market and is weaker than the AES and three time slower. Many security systems use both Triple DES and AES to make it more secure. AES is the default algorithm on most systems now. Triple DES will be kept around for compatibility reasons.<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /><o:p></o:p><o:p> </o:p><o:p></o:p>In terms of RC2 and RC4 ciphers,<o:p></o:p><o:p> </o:p>The RC4 cipher is highly vulnerable only to a Bit-flipping attack if not implemented correctly.<o:p></o:p><o:p> </o:p><o:p></o:p>"The attack is especially dangerous when the attacker knows the format of the message. In such a situation, the attacker can turn it into a similar message but one in which some important information is altered. For example, a change in the destination address might alter the message route in a way that will force re-encryption with a weaker cipher, thus possibly making it easier for an attacker to decipher the message" - wikipedia<o:p></o:p><o:p> </o:p>

    With the above you will be ok for PCI compliance

     

    I hope that helps,<o:p></o:p><o:p> </o:p><o:p></o:p>Thanks<o:p></o:p><o:p> </o:p>Pawel<o:p></o:p>

     

    Thursday, March 4, 2010 10:24 AM
  • User-2080158005 posted

    I've never tried to use RC2 or RC4 only

    Pawel

    Thursday, March 4, 2010 10:26 AM
  • User-395574095 posted

    Thanks Pawel. Your complete solution in batch form, I believe (hope this makes someone's job easier):

    REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 2.0\Server" /v Enabled /t REG_DWORD /d 0 /f
    REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 2.0\Client" /v Enabled /t REG_DWORD /d 0 /f
    REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 3.0\Server" /v Enabled /t REG_DWORD /d 1 /f
    REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 3.0\Client" /v Enabled /t REG_DWORD /d 1 /f
    REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\TLS 1.0\Server" /v Enabled /t REG_DWORD /d 1 /f
    REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\TLS 1.0\Client" /v Enabled /t REG_DWORD /d 1 /f
    REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Ciphers\RC2 128/128"
    REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Ciphers\RC4 128/128"
    REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Ciphers\Triple DES 168/168"


    Wednesday, May 19, 2010 8:37 AM
  • User-2080158005 posted

    Many Thanks Theboywonder!

    That will speed up the process. :-)

     

    Wednesday, May 19, 2010 8:53 AM
  • User1422648426 posted

    Hi,

    Can't you just disable the sslv2.0 using:

    REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 2.0\Server" /v Enabled /t REG_DWORD /d 0 /f
    REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 2.0\Client" /v Enabled /t REG_DWORD /d 0 /f

    Only? (as per: http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/1cf01f33-9cbe-4b76-b01c-83923c4cda04 )?

    Thanks

    Friday, June 18, 2010 4:49 AM
  • Tuesday, July 20, 2010 10:53 AM
  • User1286633549 posted

     I found on my Windows 2008 R2 64 bit server with IIS 7, under:

    HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 2.0\

     

    I just added a new key of 'Server' with a DWORD 32 bit value  of "DiabledByDefault" and the hex 'value data' of 1, rebooted and SSLv2 was gone.

    It will sit right under:
    the HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 2.0\Client\DisabledByDefault=1 which is already present.

     Here is an example scan before and after the one change:

    (before:)

    commandme : ./cnark.pl -h some.fqdn.what.ever -p 443

    SSL Certificate Information...
    Certificate Commmon Name: some.fqdn.what.ever


    Testing SSLv2 Ciphers...
        DES-CBC3-MD5 -- 168 bits, High Encryption
        RC4-MD5 -- 128 bits, Medium Encryption

    Testing SSLv3 Ciphers...
        DES-CBC3-SHA -- 168 bits, High Encryption
        RC4-SHA -- 128 bits, Medium Encryption
        RC4-MD5 -- 128 bits, Medium Encryption

    Testing TLSv1 Ciphers...
        AES256-SHA -- 256 bits, High Encryption
        DES-CBC3-SHA -- 168 bits, High Encryption
        AES128-SHA -- 128 bits, High Encryption
        RC4-SHA -- 128 bits, Medium Encryption
        RC4-MD5 -- 128 bits, Medium Encryption

     

    (after:)
    commandme : ./cnark.pl -h some.fqdn.what.ever -p 443

    SSL Certificate Information...
    Certificate Commmon Name: some.fqdn.what.ever


    Testing SSLv2 Ciphers...

    Testing SSLv3 Ciphers...
        DES-CBC3-SHA -- 168 bits, High Encryption
        RC4-SHA -- 128 bits, Medium Encryption
        RC4-MD5 -- 128 bits, Medium Encryption

    Testing TLSv1 Ciphers...
        AES256-SHA -- 256 bits, High Encryption
        DES-CBC3-SHA -- 168 bits, High Encryption
        AES128-SHA -- 128 bits, High Encryption
        RC4-SHA -- 128 bits, Medium Encryption
        RC4-MD5 -- 128 bits, Medium Encryption
    commandme :


    Tuesday, February 1, 2011 9:58 AM
  • User-395574095 posted

     I found on my Windows 2008 R2 64 bit server with IIS 7, under:

    HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 2.0\

    I just added a new key of 'Server' with a DWORD 32 bit value  of "DiabledByDefault" and the hex 'value data' of 1, rebooted and SSLv2 was gone.

     

    Do you mean this?

    REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 2.0\Server" /v DisabledByDefault /t REG_DWORD /d 1 /f

     If so perhaps that can be added to the above for a more *complete* solution?

    Thursday, February 3, 2011 4:38 AM
  • User1286633549 posted

    In my case, I found that the other keys had no function. I tested the SSL enumeration prior to adding the key's in the above solution, and afterwards, and the enumeration was identical. I susbequently removed all the extra keys, then added the disabled by default' key, and that left all the other protocols as before, except sslv2.0 was now missing. (As desired)

     

    So in the case of:

    Windows Server 2008 64 bit R2, i would say the only item needed to disable sslv2.0 is:

    REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 2.0\Server" /v DisabledByDefault /t REG_DWORD /d 1 /f

     

    Perhap's the other keys are needed for other versions of WIndows Server 200x. But no in 2008 64 bit R2.

     

    Friday, February 4, 2011 8:51 AM
  • User799964680 posted

     Hi

    we are trying to make a server PCI complaint however it is failing with the below error stating to disable v2 SSL we tried

    REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 2.0\Server" /v DisabledByDefault /t REG_DWORD /d 1 /f

    and rebooted the server, but this did not help.  Its windows 2008 R2 DC Edition Hyper-V Virtual Server.

     

    Description: SSL server uses only SSLv2 protocol Severity: Critical Problem Impact: A remote attacker with the ability to sniff network traffic could decrypt an encrypted session. Background: Secure Sockets Layer (SSL) is an encryption protocol used to ensure confidentiality as information travels across the Internet. It is commonly used between web browsers and web servers to protect sensitive data such as passwords and credit card numbers. At the beginning of an SSL session, the client and server negotiate the encryption algorithm, known as a cipher. The chosen cipher is generally the strongest one which is supported by both the client and the server. Resolution For Apache mod_ssl web servers, use the [http://httpd.apache.org/docs/2.0/mod/mo d_ssl.html#sslciphersuite] SSLCipherSuite directive in the configuration file to specify strong ciphers only and disable SSLv2. For Microsoft IIS web servers, disable SSLv2 and any weak ciphers as described in Microsoft knowledge base articles [http://support.microsoft.com/kb/187498 ] 187498 and [http://support.microsoft.com/kb/245030 ] 245030. For other types of web servers, consult the web server documentation. Vulnerability Details: Service: https Client response to SSLv3 request: \x16\x03\x00\x09?\x02\x00\x00F\x03\x00N\x f4\xba\x163\xc3\xa8\xdbP\x08\xdfo\xe1\x95\ 2

     

    Friday, December 23, 2011 4:22 PM
  • User-776338287 posted

    SSLv2 is disabled by default on Windows Server 2008 R2.

    You don't need to add any registry keys as such.

    Unless someone has already enabled it, you can add the keyword enabled and set that to 0.

    Regards,

    Kaushal

    Thursday, January 5, 2012 5:41 PM
  • User450160165 posted

     I found on my Windows 2008 R2 64 bit server with IIS 7, under:

    HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 2.0\

    I just added a new key of 'Server' with a DWORD 32 bit value  of "DiabledByDefault" and the hex 'value data' of 1, rebooted and SSLv2 was gone.

    It will sit right under:
    the HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 2.0\Client\DisabledByDefault=1 which is already present.

     Here is an example scan before and after the one change:

    (before:)

    commandme : ./cnark.pl -h some.fqdn.what.ever -p 443

    SSL Certificate Information...
    Certificate Commmon Name: some.fqdn.what.ever


    Testing SSLv2 Ciphers...
        DES-CBC3-MD5 -- 168 bits, High Encryption
        RC4-MD5 -- 128 bits, Medium Encryption

    Testing SSLv3 Ciphers...
        DES-CBC3-SHA -- 168 bits, High Encryption
        RC4-SHA -- 128 bits, Medium Encryption
        RC4-MD5 -- 128 bits, Medium Encryption

    Testing TLSv1 Ciphers...
        AES256-SHA -- 256 bits, High Encryption
        DES-CBC3-SHA -- 168 bits, High Encryption
        AES128-SHA -- 128 bits, High Encryption
        RC4-SHA -- 128 bits, Medium Encryption
        RC4-MD5 -- 128 bits, Medium Encryption

    (after:)
    commandme : ./cnark.pl -h some.fqdn.what.ever -p 443

    SSL Certificate Information...
    Certificate Commmon Name: some.fqdn.what.ever


    Testing SSLv2 Ciphers...

    Testing SSLv3 Ciphers...
        DES-CBC3-SHA -- 168 bits, High Encryption
        RC4-SHA -- 128 bits, Medium Encryption
        RC4-MD5 -- 128 bits, Medium Encryption

    Testing TLSv1 Ciphers...
        AES256-SHA -- 256 bits, High Encryption
        DES-CBC3-SHA -- 168 bits, High Encryption
        AES128-SHA -- 128 bits, High Encryption
        RC4-SHA -- 128 bits, Medium Encryption
        RC4-MD5 -- 128 bits, Medium Encryption
    commandme :


     

    Hi bdmeyer,

    I'm a bit new to SSL security and I was wondering what application or utility you used for running the scan testing the encryption levels (using command line "commandme : ./cnark.pl -h some.fqdn.what.ever -p 443").

    Many Thanks,

    Marco
     

    Tuesday, May 22, 2012 11:57 AM
  • User-1884375678 posted

    Clearly this is not the case as all these other people have probably like me spent hours of time fiddling with reg keys trying to disable it due to a failure against a compliancy test.

    Why MS cannot simply tell us clearly what needs to be done is beyond me but it certainly is not disabled by default otherwise all these brand new deployments would have had to have it enabled first. How do you enable it? That might also be useful information.

     

     

    Wednesday, October 31, 2012 8:00 AM
  • User-776338287 posted

    This information is readily available. All you need to do is search.

    This KB article suggests on how to do so.

    http://support.microsoft.com/kb/187498

    NOTE: 3rd party products don't use the MS implementation of Crypto API's and SSL libraries and have their own custom implementation.

    The above KB provides a tool which disables the speciifc protocol version. All it does is add a registry key under

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

    By default you would find only SSL 2.0 under protocols:

    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
    "DisabledByDefault"=dword:00000001

    If you want to disable it for the server node one then you can either use the above KB (not sure if it would run on Windows Server 2008 R2) or create one or modify the above node.

    So it would look like this. This would disable the SSL v2.0 for the all the server components.

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
    "DisabledByDefault"=dword:00000001

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
    "DisabledByDefault"=dword:00000001
    Thursday, November 15, 2012 1:35 AM
  • User-2080158005 posted

    Try to use this, very useful!

    https://www.nartac.com/Products/IISCrypto/Default.aspx

    Thursday, November 15, 2012 4:36 AM
  • User162238490 posted

    Hello .. can anyone help with regards to Disabling SSL 2.0

     

    I am also using Reg file and editing the Registry through Reg File and disabling SSL.  But it is only editing the Registry values.  When i check if from Tools---Internet Options --- Advance Setting.. I can still see that SSL 2.0 is not disabled.

     

    I am trying this on Windows 7... where am i going wrong. Below is my code. plz help.

    Windows Registry Editor Version 5.00
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client] "DisabledByDefault"=dword:00000001

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client] "Enabled"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server] "DisabledByDefault"=dword:00000001

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server] "Enabled"=dword:00000000

    Thursday, December 5, 2013 1:02 AM