No announcement yet.

PCI Compliance

  • Filter
  • Time
  • Show
Clear All
new posts

  • PCI Compliance

    I have to disable support for SSLv2 on a clients SBS2008 box. I found KB article 187498, called 'How to disable PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0 in IIS.
    I don't see the values as indicated in the article, however I have an SSL v2 CLIENT key instead, and it already has a DWORD
    named DisabledByDefault which is set to 1.

    Should I change the value to 0?

    Below is the result of the PCI scan...

    Protocol: TCP, Port:443, Program: https

    Synopsis : The remote service encrypts traffic using a protocol with known weaknesses.
    Description : The remote service accepts connections encrypted using SSL 2.0, which
    reportedly suffers from several cryptographic flaws and has been deprecated for several years.
    An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or
    decrypt communications between the affected service and clients. See also : Consult the application's documentation to
    disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead.

    I have searched high and low and cant seem to find much info out there.

    Thanks in advance.

    Long time lurker, first time poster.
    Last edited by GenXer; 5th November 2009, 17:09.

  • #2
    Re: PCI Compliance

    I THINK I have found a solution. It passed a test I gave it but we will see what happens when the bank runs their scan.

    I found a site that checks SSLís

    The results of the first scan showed a response from SSL 2.0

    Found these steps to take:

    How to Disable SSL 2.0 in IIS 7

    For some reason, Windows Server 2008 using IIS 7 allows SSL 2.0 by default. Unfortunately, this means you will fail a PCI Compliance audit by default. In order to disable SSL 2.0 in IIS 7 and make sure that the stronger SSL 3.0 ot TLS 1.0 is used, follow these instructions:
    1. Click Start, click Run, type regedit, and then click OK.
    2. In Registry Editor, locate the following registry key/folder:

      HKey_Local_Machine\System\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Protocols\SSL 2.0
    3. Right-click on the SSL 2.0 folder and select New and then click Key. Name the new folder Server.
    4. Inside the Server folder, click the Edit menu, select New, and click DWORD (32-bit) Value.
    5. Enter Enabled as the name and hit Enter.
    6. Ensure that it shows 0x00000000 (0) under the Data column (it should by default). If it doesn't, right-click and select Modify and enter 0 as the Value data.
    7. Restart the computer.
    8. Verify that no SSL 2.0 ciphers are available at
    After running the scan a 2nd time, SSL 2.0 did not show up. I will post up once I hear what the bank says.

    Here is a link to the article I found:


    • #3
      Re: PCI Compliance

      I don't know exactly about external compliance, but I do know that SBS is secure by design. That is, if you run the various network and Internet connection wizards, buy a certificate and install it into the right places (as guided by the wizard) then it is safe.
      Without SSL, none of the remote access on SBS will work. Even if you try to come in on port 80 you will be redirected to 443. UTFW and don't mess with them unless absolutely necessary!

      Steven Teiger [SBS-MVP(2003-2009)]
      Iím honoured to have been selected for the SMB 150 list for 2013. This is the third time in succession (no logo available for 2011) that I have been honoured with this award.

      We donít stop playing because we grow old, we grow old because we stop playing.