Windows Server 2008/2008R2: How to Disable SSLv2 on Domain Controller (dsforum2wiki)

Introduction

For security reasons, you may need to disable SSLv2 on a domain  controller to force secure LDAP communication using SSLv3 or TLSv1. 

The following article, What is the Point of Encryption if you Don't Know Who For? offers  a description and comparison between

• SSLv2,
• SSLv3, and
• TLSv1 encryption methods

(see the section, SSLv2 versus SSLv3/TLSv1 and Assurance Level). 

Steps

To disable SSLv2 on a Windows Server 2008 or Windows Server 2008 R2 domain controller perform the following steps:

1. Open the registry and create a key named Server under the following entry :

   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]

2.  Under the registry key Server, create a DWORD value named Enabled and change the value data to 00000000.

3. Reboot.

More information

For more information see KB 245030:  How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dll

Troubleshooting

Applications

If you have any applications that connect to the domain controller using SSL v2.0, they will fail to connect.  You can use a network monitoring tool to analyze network traffic to see if there are any packets using SSL v2.0.

SSL still enabled

If you are trying to follow the WIKI post "How to Disable SSLv2 on a Windows Server 2008 and Windows Server 2008 R2" after doing the work, you reboot the problem server, and after rebooting your security scan is still alarming about "SSLv2" enabled on the problem server , create the fallowing key instead.

1. Open the registry and create a key named Server under the following entry :
   • HKEY_LOCAL_MACHINE
   • SYSTEM
   • CurrentControlSet
   • Control
   • SecurityProviders
   • SCHANNEL
   • Protocols
   • SSL 2.0
2. Under the registry key Server, create a DWORD value named “DisabledByDefault” and change the value data to “00000001”
3. Reboot the server

If you have more than one server you can export the .reg key and import it on other servers by simply clicking on it

Related References

This article was derived from the DS forum post,

• Is it possible to disable SSLv2 on a Windows 2008 domain controller so that secure LDAP communication is forced to use SSLv3 or TLSv1? (http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/1cf01f33-9cbe-4b76-b01c-83923c4cda04).