Disabling SSL 2.0/3.0

Our security scans have came back with the following flaw.

SSL 2.0 deprecated protocol

Now I've told our security person this is either a server issue or something with our BigIP, or a false positive, since I've yet to see any information turning off SSL 2.0 in web.config, and as I'm only in control on what is in the website an开发者_如何学Cd not IIS, I don't believe this to be an issue, yet he is still throwing it back at me saying its a website issue that needs fixed.

Question I have is, am I correct to say there is nothing in the website I can do to fix this (setting in web.config) and it is a server issue (IIS), or most likely upgrading SSL etc.

Most security scans reports come with links next to each issue with directions on how to fix it. Maybe the security person is hiding something from you or just doesn't feel like dealing with the issue.

Anyways, you are correct -- there is no IIS or web.config setting that will fix the problem. Only a registry hack will do it:

http://support.microsoft.com/kb/187498

http://social.technet.microsoft.com/Forums/en/winservergen/thread/74a45b74-8d84-4308-ba14-02e4bc724e27