screenshot of results

How to disable SSLv3 and RC4 ciphers in IIS

Sam Rueby Security, Web Development 5 Comments

There’s a great tool from Qualys SSL Labs that will test your server’s configuration for the HTTPS protocol. Somewhat-unfortunately, servers default configuration tends to favor compatibility over security. If you want to get your grade up to an A- or better you will have to make some configuration changes. Here’s what I did while using Windows Server 2008 R2 and IIS.

By default, two now-considered bad things are enabled by default in Windows Server 200, 2008 R2, and the latest version of Windows Server (Windows Server Technical Preview 2), which is SSLv3 and the RC4 cipher. 

How to disable SSLv3

Disabling SSLv3 is a simple registry change. As far as I’m aware, the only risk in disabling it is preventing Windows XP/IE6 users from accessing your server. If you still have to support these users, I’m sorry.

Digicert provides a dead-simple registry script to disable SSLv3. Here it is:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]

Awesome. That will bring your grade up, but we’re not done. RC4 has been deprecated.

How to disable RC4 ciphers

This is another simple registry change.

Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]

The above registry keys were recommended by these sources:

To run all of these at once, I’ve provided a zipped .reg file that includes these changes.

[button shape=”square” size=”large” float=”none” href=”” info=”none” info_place=”top” info_trigger=”hover”][icon type=”download”] Download[/button]

[content_band inner_container=”true” padding_top=”0px” padding_bottom=”0px” border=”none”]

[icon type=”warning”] Isn’t it sketchy to download .reg files and run them?

Yup, totally. Luckily .reg files are just text: go ahead and look at the file in a text editor or manually insert the keys above using the registry editor.


Performing the actions above will greatly increase your grade, but still won’t get you a perfect score. The last step is enabling forward secrecy. Hopefully I’ll cover that in a future post!