Enforcing SSL 3.0 and removing weak encryption vulnerability over SSL (IIS 6.0 and ISA)
Posted by J.T. Smith on 01 October 2009 01:06 PM
PCI Compliance is very important these days to protect the security of credit card and other personal data. Third party PCI Compliance scanning services will often report a "SSL Weak Encryption Algorithms" vulnerability when conducting scans of sites hosted on our VPS or Dedicated Servers, because our default configuration does support older SSL Encryption methods. To disable these older SSL Encryption methods and only allow support for SSL 3.0 and TLS 1.0, follow the steps as detailed below...
These details are taken from the full articiles on the subject as found at: http://blogs.iis.net/sakyad/archive/2008/12/11/enforcing-ssl-3-0-and-removing-weak-encryption-vulnerability-over-ssl-iis-6-0-and-isa.aspx; and: http://support.microsoft.com/kb/245030.
Login to your server via Remote Desktop (RDP), click [Start], [Run], [Type "regedit", and hit Enter]. This will open the Registry Editor. Before making any changes to your registry, it is HIGHLY recommended that you have a current full backup of your server, and that you backup the entire registry by exporting it to a file.
Navigate to the "Ciphers" folder at: HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Ciphers\. Expand each of: DES 56/56, Null, RC2 40/128, RC4 40/128, & RC4 56/128, and create a new DWORD value of "Enabled", leaving the value set to zero. Then expand each of: RC2 128/128, RC4 128/128, & Triple DES 168/168, and create a new DWORD value of "Enabled", setting the value to "ffffffff".
Repeat this action by opening the "Protocols" folder near the same location at: HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\. This time expand each of: PCT 1.0 & SSL 2.0 (Client & Server), and create a new DWORD value of "Enabled", leaving the value set to (0) zero.
Reboot your server and then have the scan repeated and the reported vulnerability should no longer be present.