By default, Windows 2008 R2 has some shonky SSL settings – it enables SSL 2.0, which is broken, and it doesn’t enable the best protocols – TLS 1.1 and 1.2. To disable and enable things as we want them, we need to go digging around in the registry.
I’ve compiled these instructions from this article details how to disable SSL 2.0 and this article with broken instructions on how to enable TLS 1.1 and TLS 1.2. As this process requires a server restart I thought this single article might keep downtime low.
IIS SSL capabilities are controlled at the system level, so this should work for other IIS versions as well.
Editing the registry
The keys we need to alter are in: HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
There should already by a key (folder) called SSL 2.0
, you need to create two new folders called TLS 1.1
and TLS 1.2
.
Underneath these protocol keys, you need another set of keys (folders) called Client
and Server
. These may already exist for SSL 2.0.
Underneath the Server
keys, we need to put a DWORD called Enabled
and set it to 0 for SSL 2.0 and to 0xffffffff (Use the hexadecimal radio button) for the two TLS items.
Underneath the Client
keys, we need to put a DWORD called DisabledByDefault and set it to 0 for TLS and ffffffff for SSL 2.0.
Reset the server and then check the protocols it now allows – everything should be sorted as more secure – check it using this tool.
Tool that sorts it out for you
If you’re happy installing random tools on your server, then you can get IIS Crypto to make the changes for you.
If I’ve got anything wrong, or you think I could be clearer, please drop me a comment below here! Thanks.