Comments on: Windows / IIS SSL – Restrict Weak Ciphers

By: Jeff

Jeff — Wed, 11 May 2011 22:58:09 +0000

I just published a free tool that can disable weak protocols and ciphers. Essentially it uses the same registry keys as those articles listed but adds a simple GUI to configure Windows Server 2003/2008.

It is called IIS Crypto and found here: https://www.nartac.com/Products/IISCrypto/Default.aspx

By: clamasters

clamasters — Sun, 20 Feb 2011 15:20:42 +0000

I tried to do some reserch on this as I have not personally had to do it myself. Microsoft's documenation is scary thin for 2008 in regards to cipher security. Everything that I have read points to the same KB article. http://support.microsoft.com/default.aspx?scid=kb;EN-US;245030 I did find this tidbit though. http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/1cf01f33-9cbe-4b76-b01c-83923c4cda04 Hopefully this helps.

By: Sebastian

Sebastian — Wed, 16 Feb 2011 22:21:30 +0000

Any Idea on how to do it in Windows 2008 as thesubkeys for cipher does not exist.
Do I need to create the subkeys manually?? If I need to do that, I need to create the complete set as they exists in Windows 2003?
Thanks

By: Eman

Eman — Sat, 30 Oct 2010 00:31:18 +0000

Thanks, this helped me resolve the PCI security issue I was getting with http://www.trustmonitor.com vulnerability scanning.

By: chanda

chanda — Tue, 27 Jul 2010 02:29:49 +0000

fairly new…at SSL, I know this thread is VERY OLD, but can some one tell me how to do this:

Pav, for us we disabled the following:
DES 56/56
RC2 40/128
RC4 40/128
RC4 56/128.

I dont have a clue..as I said, i’m new at this..

By: Removing weak ciphers / protocols from Windows Server 2003 IIS 6 « Jonathan McLeod Blog

Tue, 25 May 2010 18:20:21 +0000

[...] http://www.curtis-lamasters.com/2008/06/21/windows-iis-ssl-restrict-weak-ciphers/ [...]

By: Steve

Steve — Thu, 21 May 2009 19:31:48 +0000

Hello
In reply to John

It does scan any and all servers behind the public ip… Assuming that this is a netscaler / load balancer for multiple web servers. The Virtual IP assigned represents all of the backend physical ips associated to the individual web sites. Best bet is to determine the physical ips associated to the Virtual IP that is throwing a positive from the scan. When that is done you’ll need to find the actual servers that these reside on. Apply these patches as directed above to those servers. Make sure you capture / back up the existing entries in the registry as I have seen this cause client issues with non IE browsers.

Good Luck!

Steve

By: John

John — Mon, 27 Apr 2009 23:56:12 +0000

Hello,

I am having the same problems with these ciphers and security metrics. I have disabled everything lower than 128 and I am still not passing the scan. Does anyone know if security metrics scans every server and workstation behind our Public IP or is it just the server that is port forwarded? I have been working on this for almost a month now and the security metrics tech support is of no help at ALL (what a joke), they do not even know what their tests scans!! Any help would be greatly appreciated.

Thanks!

By: clamasters

clamasters — Mon, 30 Mar 2009 17:00:05 +0000

Your mileage may vary. I have run this on 30 plus servers with zero issues but usually depending on the OS/Browser version of the client viewing the site/application, you may experience issues.

By: Yong

Yong — Mon, 30 Mar 2009 16:16:32 +0000

Any of this alteration affect your application?