While going through a vulnerability scan for PCI compliancy, the report noted that IIS 7 on a Small Business Server 2008 was still using SSL v2.0 instead of SSL 3.0 or TLS 1.0. To disable SSL v2.0:

1. Click Start, click Run, type regedt32 or type regedit, and then click OK.
2. In Registry Editor, locate the following registry key:HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server
3. On the Edit menu, click Add Value.
4. In the Data Type list, click DWORD.
5. In the Value Name box, type Enabled, and then click OK.Note If this value is present, double-click the value to edit its current value.
6. Type 00000000 in Binary Editor to set the value of the new key equal to “0″.
7. Click OK. Restart the computer.

IIS negotiates the encryption with the client browser. An attacker could use a tool that tells the server it has only sslv2 (which is weaker) available. If you disable sslv2 it only uses v3 or tls, as requested by browser. A browser only supporting sslv2 would fail.

 This applies to Windows Server 2003, and Windows Server 2008, and both versions of SBS.

http://support.microsoft.com/default.aspx?scid=kb;en-us;187498

First, to find the identifier of a IIS website, you simply need to click the “Websites” folder in the left side of the IIS Manager windows.   The right pane will list the websites on the server and their respective identifiers.  If you need to change one, use the following three commands (assuming the current id is 1 and you want to change it to 2):

CSCRIPT %SYSTEMDRIVE%\Inetpub\AdminScripts\adsutil.vbs STOP_SERVER W3SVC/1
CSCRIPT %SYSTEMDRIVE%\Inetpub\AdminScripts\adsutil.vbs MOVE W3SVC/1 W3SVC/2
CSCRIPT %SYSTEMDRIVE%\Inetpub\AdminScripts\adsutil.vbs START_SERVER W3SVC/2