How to disable PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0 in IIS
-
We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:
http://www.microsoft.com/technet/security/prodtech/IIS.mspx
Important
This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 Description of the Microsoft Windows registry
SUMMARY
You can use HTTPS to connect to either of the following:
-
Microsoft Internet Information Server (IIS) versions 3.0 and later versions
Microsoft Internet Information Services (IIS) 5.0 and later versions
When you do this, the client and the server negotiate a common protocol to help secure the channel. If the server and the client have multiple protocols in common, IIS tries to help secure the channel with one of the protocols that IIS supports. The protocol that IIS uses is selected in the following order of preference:
- PCT 1.0
- SSL 3.0
- SSL 2.0
Sometimes, you may want to disable one or more of these protocols. You can do this if you change the registry.
MORE INFORMATION
Microsoft Windows NT Server stores information about different security-enhanced channel protocols that Windows NT Server supports. This information is stored in the following registry key:
HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols
Typically, this key contains the following subkeys:
- PCT 1.0
- SSL 2.0
- SSL 3.0
- TLS 1.0
Each key holds information about the protocol for the key. Any one of these protocols can be disabled at the server. To do this, you create a new DWORD value in the server subkey of the protocol. You set the DWORD value to “00 00 00 00.”
Note By default, PCT is not enabled on Microsoft Windows Server 2003.
To disable the PCT 1.0 protocol so that IIS does not try to negotiate using the PCT 1.0 protocol, follow these steps:
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
For information about how to modify the registry, see the “Changing keys and values” Help topic in Registry Editor. Also see the “Add and delete information in the registry” Help topic and the “Edit registry data” Help topic in Registry Editor.1. Click Start, click Run, type regedt32 or type regedit, and then click OK.
2. In Registry Editor, locate the following registry key:
HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\PCT 1.0\Server
3. On the Edit menu, click Add Value.
4. In the Data Type list, click DWORD.
5. In the Value Name box, type Enabled, and then click OK.
Note If this value is present, double-click the value to edit its current value.
6. Type 00000000 in Binary Editor to set the value of the new key equal to “0″.
7. Click OK. Restart the computer.
Back to the top
REFERENCES
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
245030 (http://support.microsoft.com/kb/245030/) How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll
If you're new here, you may want to subscribe to my RSS feed. Thanks for visiting!
Related Posts
Leave a Reply
You must be logged in to post a comment.
