Article ID: 187498 - Last Review: September 2, 2010 - Revision: 11.0

How to disable PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0 in Internet Information Services

View products that this article applies to.
This article was previously published under Q187498
We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 7.0 running on Microsoft Windows Server 2008. IIS 7.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:
http://www.microsoft.com/technet/security/prodtech/IIS.mspx (http://www.microsoft.com/technet/security/prodtech/IIS.mspx)
For more information about IIS 7.0, visit the following Microsoft Web site:
http://www.iis.net/ (http://www.iis.net/)
Expand all | Collapse all

SUMMARY

You can use HTTPS to connect to either of the following:
  • Microsoft Internet Information Server (IIS) versions 3.0 and later versions
  • Microsoft Internet Information Services (IIS) 5.0 and later versions
When you do this, the client and the server negotiate a common protocol to help secure the channel. If the server and the client have multiple protocols in common, IIS tries to help secure the channel with one of the protocols that IIS supports. The protocol that IIS uses is selected in the following order of preference:
  1. PCT 1.0
  2. SSL 3.0
  3. SSL 2.0
Sometimes, you may want to disable one or more of these protocols. You can do this if you change the registry.

Note In Windows Server 2008, PCT 1.0 is not a configurable option, and you do not have to restart the server.
Back to the top

MORE INFORMATION

Microsoft Windows NT Server stores information about different security-enhanced channel protocols that Windows NT Server supports. This information is stored in the following registry key:

HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols

Typically, this key contains the following subkeys:
  • PCT 1.0
  • SSL 2.0
  • SSL 3.0
  • TLS 1.0
Each key holds information about the protocol for the key. Any one of these protocols can be disabled at the server. To do this, you create a new DWORDvalue in the server subkey of the protocol. You set the DWORD value to "00 00 00 00."

Note By default, PCT is not enabled on Microsoft Windows Server 2003.

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756  (http://support.microsoft.com/kb/322756/ ) How to back up and restore the registry in Windows


For information about how to modify the registry, see the "Changing keys and values" Help topic in Registry Editor. Also see the "Add and delete information in the registry" Help topic and the "Edit registry data" Help topic in Registry Editor.

To have us disable PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0 for you, go to the "Fix it for me" section. If you prefer to fix this problem yourself, go to the "Let me fix it myself" section.

Fix it for me



To fix this problem automatically, click the Fix it button or link. Click Run in the File Download dialog box, and follow the steps in the Fix it wizard.


Fix this problem
Microsoft Fix it 50495


Notes
  • This wizard may be in English only. However, the automatic fix also works for other language versions of Windows.
  • If you are not using the computer that has the problem, save the Fix it solution to a flash drive or a CD and then run it on the computer that has the problem.

Then, go to the "Did this fix the problem?" section.



Let me fix it myself



To disable the PCT 1.0 protocol so that IIS does not try to negotiate using the PCT 1.0 protocol, follow these steps:

  1. Click Start, click Run, type regedt32 or type regedit, and then click OK.
  2. In Registry Editor, locate the following registry key:

    HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\PCT 1.0\Server
  3. On the Edit menu, click Add Value.
  4. In the Data Type list, click DWORD.
  5. In the Value Name box, type Enabled, and then click OK.

    Note If this value is present, double-click the value to edit its current value.
  6. Type 00000000 in Binary Editor to set the value of the new key equal to "0".
  7. Click OK. Restart the computer.

Did this fix the problem?

  • Check whether the problem is fixed. If the problem is fixed, you are finished with this section. If the problem is not fixed, you can contact support (http://support.microsoft.com/contactus) .
  • We would appreciate your feedback. To provide feedback or to report any issues with this solution, please leave a comment on the "Fix it for me (http://blogs.technet.com/fixit4me/) " blog or send us an email (mailto:fixit4me@microsoft.com?Subject=KB) .
Back to the top

REFERENCES

For more information, click the following article number to view the article in the Microsoft Knowledge Base:
245030  (http://support.microsoft.com/kb/245030/ ) How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll



Back to the top
APPLIES TO
  • Microsoft Internet Information Server 3.0
  • Microsoft Internet Information Services 5.1
  • Microsoft Internet Information Services 6.0
  • Microsoft Internet Information Services 7.0
Back to the top
Keywords: 
kbhowto kbmsifixme kbfixme KB187498
Back to the top
 

Article Translations

 

Related Support Centers