Created By  inflectra.adam Thursday, October 9, 2014

If you are running a web application (such as SpiraTest, SpiraPlan, SpiraTeam or KronoDesk) on an IIS web server using Secure Sockets Layer (SSL), you will want to harden the environment by removing the older versions of SSL and TLS that are no longer considered secure.

These steps apply to:

  • Windows Server 2003 R1 & R2
  • Windows Server 2008 R1 & R2

Usually Windows Server 2012 and later are already configured to be secure.

• Using regedit to add the following keys ( right click on protocols -> new -> key -> "SSL 2.0"  then  "SSL 3.0" then "TLS 1.0" )
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0
• Under each of the keys above you need to create additional keys "Client" and "Server"
 For SSL 2.0: 
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server
 For SSL 3.0: 
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server
 For TLS 1.0: 
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server
• Then you will have to create DWORD (32bit) value called "Enabled" under each "Client" and "Server" key for "SSL 2.0, SSL 3.0 and TLS 1.0"
 DWORD (32bit) Value
 Value name = Enabled
 Value date = 0
 Value date can be set to "1" - Enabled or "0" – Disabled
 In my scenario the values were "enabled" (set to 1) for SSL 3.0 and TLS 1.0 and "disabled" (set to 0) for SSL 2.0
• Next step is to add correct Ciphers, to do so you will have to navigate to the following key in the registry
• (right click on "Cliphers" New -> Key)
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168
• That's all! Now you need to restart your server to apply those changes.
Article Info
  • Last Updated: 10/9/2014
  • Article ID: KB91
  • Views: 3055