Skip to main content
All CollectionsRemediations
SSL Version 2 and 3 Protocol Detection (Windows) (IIS Crypto) Vulnerability
SSL Version 2 and 3 Protocol Detection (Windows) (IIS Crypto) Vulnerability
Alan Butcher avatar
Written by Alan Butcher
Updated over a week ago

The SSL Version 2 and 3 Protocol Detection Vulnerability when detected with a vulnerability scanner will report it as a CVSS 9.8 (v3).

CVSS is a scoring system for vulnerability systems, its an industry standard scoring system to mark findings against a specific number ranging from 0 to 10. They are shown as:

Both SSL and TLS are cryptographic protocols designed to secure communications over a network. Originally there were SSL version 1 and version 2. But they had a lot of security holes. Version 3 however did and was widely supported. The problem with version 3 was with the Poodle exploit and people started getting rid of SSLv3. TLS v1.0 was largely based on, (but not compatible with) SSLv3. TLS 1.1 replaced v1.0 (circa 2006). Problems with it prompted TLS 1.2 (circa 2008). Then that was the standard until TLS v1.3 (circa 2018). However: Just because you use the newest protocols does not necessarily mean you are more secure: Most documentation you read says TLS 1.2 ‘Should’ be secure. This is because these protocols are built on cryptographic ciphers and they are only as secure as those ciphers. You can corrupt a strong protocol with a weak cipher and render it less secure. In some cases, you may need to do this, or you might simply enable a web cipher to fix a ‘problem’ without understanding the consequences.

To help remediate this vulnerability, this document will make the use of IIS Crypto tool.

To download IIS Crypto please visit: https://www.nartac.com/Products/IISCrypto/Download

To enable TLSv1.2 please check the box for TLS 1.2 as shown in the image below.

To disable SSLv2.0 please uncheck the box for SSL 2.0 as shown in the image below.

To disable SSLv3.0 please uncheck the box for SSL 3.0 as shown in the image below.

To disable TLSv1.0 please uncheck the box for TLS 1.0 as shown in the image below.

To disable TLSv1.1 please uncheck the box for TLS 1.1 as shown in the image below.

After making all the changes required, reboot the server for the changes to take effect. Restarting the services will now implement the changes.

Did this answer your question?