Configuring IIS 7.5 to be FIPS 140.2 compliant

Posted by tomfanning on Server Fault See other posts from Server Fault or by tomfanning
Published on 2010-06-04T09:22:14Z Indexed on 2010/06/10 15:33 UTC
Read the original article Hit count: 431

Filed under:
|
|
|

I need to configure IIS 7.5 (Server 2008 R2) to be FIPS 140.2 compliant.

Specifically, this involves disabling all SSL protocols other than TLS 1.0.

I have set the following registry keys:

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server

to Enabled(DWORD) = 0 as per this KB, but SSL Labs' checker says "SSL 2.0+ Upgrade Support" is enabled. (Everything other than that and TLS 1.0 is not available, so we're getting somewhere). It also says "FIPS ready - no" - presumably because SSL 2.0+ Upgrade Support is still enabled.

serversniff.net says SSL 2.0 is turned off, and doesn't say anything about SSL 2.0+ Upgrade Support. Could this be an anomaly with SSL Labs' checker?

© Server Fault or respective owner

Related posts about ssl

Related posts about iis7.5