Configuring IIS 7.5 to be FIPS 140.2 compliant
Posted
by tomfanning
on Server Fault
See other posts from Server Fault
or by tomfanning
Published on 2010-06-04T09:22:14Z
Indexed on
2010/06/10
15:33 UTC
Read the original article
Hit count: 431
I need to configure IIS 7.5 (Server 2008 R2) to be FIPS 140.2 compliant.
Specifically, this involves disabling all SSL protocols other than TLS 1.0.
I have set the following registry keys:
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server
to Enabled(DWORD) = 0 as per this KB, but SSL Labs' checker says "SSL 2.0+ Upgrade Support" is enabled. (Everything other than that and TLS 1.0 is not available, so we're getting somewhere). It also says "FIPS ready - no" - presumably because SSL 2.0+ Upgrade Support is still enabled.
serversniff.net says SSL 2.0 is turned off, and doesn't say anything about SSL 2.0+ Upgrade Support. Could this be an anomaly with SSL Labs' checker?
© Server Fault or respective owner