Chances are if you are reading this you’ve failed a “Trustkeeper Scan” – with “Low severity” – due to having weak SSL encryption algorithms enabled on IIS.
It’s pretty easy to solve this, but if you read the microsoft KB article it looks pretty complicated.
Launch regedit and go to this key:
You basically want to disable everything that has less than 128 bit encryption. On one of my servers, the ones with red arrows below need to be disabled:
CLICK FOR LARGER IMAGE
So on each one of these, you want to “Right click”, add a DWORD, name it “Enabled” and set the Hex value to 00000000 (eight zeros).
Repeat for each one that has less than 128 bit length, and then restart your server.
You probably also need to reschedule a security scan so that your changes can be verified, and as always, please double check your SSL protected site with at least two different web browsers and make sure you can get into SSL mode with them both on your site.
If you have undergone a “Trustkeeper Scan” and failed due to your Microsoft web server using SSLv2, then read on.
NOTE: PLEASE READ THIS POST IN OUR BLOG HERE. It is TWO YEARS NEWER and simplifies most of the tasks regarding SSL settings.
SSLv2 is considered a “medium” security risk and will cause your scan to FAIL, so therefore to be PCI-DSS compliant (for credit card companies), you need to disable it via the registry on your Windows server running IIS 3 or later.
The easiest way to do this is to read this KB article from Microsoft.
In a nutshell, you need to go to this registry key
Then locate the SSL 2.0 key
- Click on the “Server” node.
- On the Edit menu, click Add Value.
- In the Data Type list, click DWORD.
- In the Value Name box, type Enabled, and then click OK. Note: If this value is present, just double-click the value to edit its current value.
- Type 00000000 in Binary Editor to set the value of the new key equal to “0”.
- Click OK. Restart the computer
- if applicable, reschedule the security scan