screenshot of results

How to disable SSLv3 and RC4 ciphers in IIS

Sam Rueby Security, Web Development 2 Comments

There’s a great tool from Qualys SSL Labs that will test your server’s configuration for the HTTPS protocol. Somewhat-unfortunately, servers default configuration tends to favor compatibility over security. If you want to get your grade up to an A- or better you will have to make some configuration changes. Here’s what I did while using Windows Server 2008 R2 and IIS.

By default, two now-considered bad things are enabled by default in Windows Server 200, 2008 R2, and the latest version of Windows Server (Windows Server Technical Preview 2), which is SSLv3 and the RC4 cipher. 

How to disable SSLv3

Disabling SSLv3 is a simple registry change. As far as I’m aware, the only risk in disabling it is preventing Windows XP/IE6 users from accessing your server. If you still have to support these users, I’m sorry.

Digicert provides a dead-simple registry script to disable SSLv3. Here it is:

Awesome. That will bring your grade up, but we’re not done. RC4 has been deprecated.

How to disable RC4 ciphers

This is another simple registry change.

The above registry keys were recommended by these sources:

To run all of these at once, I’ve provided a zipped .reg file that includes these changes.


Isn’t it sketchy to download .reg files and run them?

Yup, totally. Luckily .reg files are just text: go ahead and look at the file in a text editor or manually insert the keys above using the registry editor.

Performing the actions above will greatly increase your grade, but still won’t get you a perfect score. The last step is enabling forward secrecy. Hopefully I’ll cover that in a future post!

  • Beth Fleischer

    This was a very helpful script. Thanks for saving me a bunch of time!

  • Larry E

    Thank you for posting this. Very helpful!