Article Rating

  • 0 Rating(s)
  • 0
  • 0
  • 0
  • 0
  • 0
spam protection for domains
Currently In order to become PCI compliant websites must handle the SSL communications VIA the SSL verion 3.0 protocol. It is also compatable with the version 2.0 so setting the SSL 3.0 as default on the IIS server is recomended.

This applies to:
  • Microsoft Internet Information Server (IIS) versions 3.0 and later versions
  • Microsoft Internet Information Services (IIS) 5.0 and later versions
Note In Windows Server 2008, PCT 1.0 is not a configurable option, and you do not have to restart the server.


Microsoft Windows NT Server stores information about different security-enhanced channel protocols that Windows NT Server supports. This information is stored in the following registry key:

HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols

Typically, this key contains the following subkeys:
  • PCT 1.0
  • SSL 2.0
  • SSL 3.0
  • TLS 1.0
Each key holds information about the protocol for the key. Any one of these protocols can be disabled at the server. To do this, you create a new DWORD value in the server subkey of the protocol. You set the DWORD value to "00 00 00 00."

Note By default, PCT is not enabled on Microsoft Windows Server 2003.

To disable the PCT 1.0 protocol so that IIS does not try to negotiate using the PCT 1.0 protocol, follow these steps:

*Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756  (http://support.microsoft.com/kb/322756/ ) How to back up and restore the registry in Windows


For information about how to modify the registry, see the "Changing keys and values" Help topic in Registry Editor. Also see the "Add and delete information in the registry" Help topic and the "Edit registry data" Help topic in Registry Editor.
  1. Click Start, click Run, type regedt32 or type regedit, and then click OK.
  2. In Registry Editor, locate the following registry key:

    HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\PCT 1.0\Server
  3. On the Edit menu, click Add Value.
  4. In the Data Type list, click DWORD.
  5. In the Value Name box, type Enabled, and then click OK.

    Note If this value is present, double-click the value to edit its current value.
  6. Type 00000000 in Binary Editor to set the value of the new key equal to "0".
  7. Click OK. Restart the computer.

Also SSL 2.0:

  1. Click Start, click Run, type regedit, and then click OK.
  2. In Registry Editor, locate the following registry key/folder:

    HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0
  3. Right-click on the SSL 2.0 folder and select New and then click Key. Name the new folder Server.
  4. Inside the Server folder, click the Edit menu, select New, and click DWORD (32-bit) Value.
  5. Enter Enabled as the name and hit Enter.
  6. Ensure that it shows 0x00000000 (0) under the Data column (it should by default). If it doesn't, right-click and select Modify and enter 0 as the Value data.
  7. Restart the computer.
  8. Verify that no SSL 2.0 ciphers

 A great tool to double check your work! http://www.serversniff.net/sslcheck.php 


Article ID: 50, Created On: 7/10/2009, Modified: 1/22/2014

Feedback (0)