Harden Microsoft Windows IIS SSL Protocols, chipers, hashes and key exchange algorithms.
In order to meet PCI and FIPS 140-2 and other security complaiance. It might be neccesary to harden and disable SSL 2.0 on IIS Servers. Configure servers to only allow SSL 3.0, TLS 1.0, TLS 1.1, or higher connections. SSLv3 has been supported by the major browsers since 1996.
This is also describe in the following articles:
- Microsoft Security Bulletin MS13-006 – Important – https://technet.microsoft.com/library/security/ms13-006
- PCI Compliance: Disabling SSL v2 and weak SSL ciphers – http://www.appliedi.net/blog/pci-compliance-disabling-ssl-v2-and-weak-ssl-ciphers-2/
- For IIS, this can be performed by modifying the registry key:
HKey_Local_MachineSystemCurrentControlSetControlSecurityProviders SCHANNELProtocols and changing the DWORD value for SSL 2.0 to 00 00 00 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server\Enabled 0x00000000 (0) DWORD (32-bit) Value
- For Apache, this can be performed by modifying the OpenSSL configuration file to add the following line (removes all ciphers and replace with High and Medium >128-bit):
IIS Crypto Screenshot:
Force Client side browsers to use SSL 3.0 and TLS 1,2
(Disable SSL 2.0 and TLS 1.x)
- How to disable PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0 in Internet Information Services – http://support.microsoft.com/kb/187498
- ISS Crypto – https://www.nartac.com/Products/IISCrypto/
- SSLScan titania.co.uk – https://www.titania.com/freetools?tool=sslscanner
- URLScan tools