How to Disable SSL 3.0 in IIS (Windows)? (POODLE Vulnerability CVE-2014-3566)

The SSL 3.0 protocol was recently shown to have a design error, opening the possibility for man-in-the-middle attacks.  Administrators are encouraged to completely disable the SSL 3.0 protocol from their servers, eliminating the potential for a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack.

A common question fielded by our engineers is, “How do I disable SSL 3.0 on Windows servers?”  Unfortunately, at this time, disabling SSLv3 in IIS requires editing the registry.  As is always the case, users should back up their registry before making any changes and use extra caution during this task.

  • In Windows Server 2003 to 2012 R2 the SSL / TLS protocols are controlled by flags in the registry.  In order to disable SSLv3 you will need to create a registry subkey named “SSL 3.0” at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols.  If there is already a subkey at this location named “SSL 3.0”, you will not need to create it.
  • Next, you will need to create a subkey under “SSL 3.0” named “Server”.  The full path at this time will be HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Server.
  • Finally, at this registry location, create a DWORD value named “Enabled” and set it’s value to 0.

In general, once the registry changes are made, the server will require a reboot to fully disable SSLv3.