By default, Windows 2008 R2 has some shonky SSL settings – it enables SSL 2.0, which is broken, and it doesn’t enable the best protocols – TLS 1.1 and 1.2. To disable and enable things as we want them, we need to go digging around in the registry.

I’ve compiled these instructions from this article details how to disable SSL 2.0 and this article with broken instructions on how to enable TLS 1.1 and TLS 1.2. As this process requires a server restart I thought this single article might keep downtime low.

IIS SSL capabilities are controlled at the system level, so this should work for other IIS versions as well.

Editing the registry

The keys we need to alter are in: HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

There should already by a key (folder) called SSL 2.0, you need to create two new folders called TLS 1.1 and TLS 1.2.

Underneath these protocol keys, you need another set of keys (folders) called Client and Server. These may already exist for SSL 2.0.

Underneath the Server keys, we need to put a DWORD called Enabled and set it to 0 for SSL 2.0 and to 0xffffffff (Use the hexadecimal radio button) for the two TLS items.

Underneath the Client keys, we need to put a DWORD called DisabledByDefault and set it to 0 for TLS and ffffffff for SSL 2.0.

Reset the server and then check the protocols it now allows – everything should be sorted as more secure – check it using this tool.

Tool that sorts it out for you

If you’re happy installing random tools on your server, then you can get IIS Crypto to make the changes for you.

If I’ve got anything wrong, or you think I could be clearer, please drop me a comment below here! Thanks.