Below, in quotes, is a medium severity issue discovered after scanning an IIS web server, with a tool called Nessus.
"Consult the application's documentation to disable SSL 2.0 and use
SSL 3.0, TLS 1.0, or higher instead"
I found this article, but I cannot find the "Server" folder. "Client" is the only folder listed on the machine I had scanned, under this registry path, HKey_Local_Machine \System\ CurrentControlSet\ Control\ SecurityProviders\ SCHANNEL\ Protocols\ PCT 1.0\
. The OS is Windows Server 2008, x64. What steps do I need to take to fix this vulnerability?
http://support.microsoft.com/?id=187498
Does this have to be set a certain way?
Best Answer
Under:
...create a key for
SSL 2.0
, if it doesn't exist. Then inside that key, create a key forServer
if it doesn't exist.Then inside that key (you should be at
SCHANNEL\Protocols\SSL 2.0\Server
), create a DWORD value with the name ofEnabled
and a value of0
.Once that's in place, reboot the server - a service restart alone isn't enough for this change to take effect.