Hello,
We recently got audited and were told that we need to do the
following:
Disable SSLv2. Only SSL3 and TLSv1 should be enabled.
Also, disable the ciphers EXP-RC4-MD5 and DES-CBC-MD5.
We're using IIS6.
Any help in how to do this would be greatly appreciated.
Thanks,
Russ
Hi Russ,
I don't know whether you can configure IIS explicitly, but you can
configure SChannel to adopt the behavior you require.
See http://support.microsoft.com/kb/245030
The following section describes the settings to restrict the protocols
and there's a section right below this that describes how to disable
particular ciphers.
SCHANNEL\Protocols SubKey
The Protocols registry key under the SCHANNEL key is used to control
the use of protocols supported by the Schannel.dll file and to
restrict the protocols use to the TLS server or TLS client.
To prohibit the use of the protocols other than SSL 3.0 or TLS 1.0,
change the DWORD value data of the Enabled value to 0x0 in each of the
following registry keys under the Protocols key:
=B7 SCHANNEL\Protocols\PCT 1.0\Client
=B7 SCHANNEL\Protocols\PCT 1.0\Server
=B7 SCHANNEL\Protocols\SSL 2.0\Client
=B7 SCHANNEL\Protocols\SSL 2.0\Server
Note that this will affect all SSL connections to/from this box so
make sure you test thoroughly. SChannel does default to SSL 3.0 and
RC4 128 if both client and server support it (and almost everything
does) so I wouldn't expect any issues with the configuration
recommended by the audit.
HTH.
Dave
On Mar 2, 12:20 pm, Russ
> Hello,
>
> We recently got audited and were told that we need to do the
> following:
>
> Disable SSLv2. Only SSL3 and TLSv1 should be enabled.
>
> Also, disable the ciphers EXP-RC4-MD5 and DES-CBC-MD5.
>
> We're using IIS6.
>
> Any help in how to do this would be greatly appreciated.
>
> Thanks,
>
> Russ
Configuring SCHANNEL as the KB suggests is the right way to do what is
asked. IIS, like IE, just uses SCHANNEL for SSL, so changes in
SCHANNEL configuration affect both the server and client.
//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//
On Mar 3, 10:50 am, "DaveMo"
> Hi Russ,
>
> I don't know whether you can configure IIS explicitly, but you can
> configure SChannel to adopt the behavior you require.
>
> Seehttp://support.microsoft.com/kb/245030
>
> The following section describes the settings to restrict the protocols
> and there's a section right below this that describes how to disable
> particular ciphers.
>
> SCHANNEL\Protocols SubKey
> The Protocols registry key under the SCHANNEL key is used to control
> the use of protocols supported by the Schannel.dll file and to
> restrict the protocols use to the TLS server or TLS client.
>
> To prohibit the use of the protocols other than SSL 3.0 or TLS 1.0,
> change the DWORD value data of the Enabled value to 0x0 in each of the
> following registry keys under the Protocols key:
> =B7 SCHANNEL\Protocols\PCT 1.0\Client
> =B7 SCHANNEL\Protocols\PCT 1.0\Server
> =B7 SCHANNEL\Protocols\SSL 2.0\Client
> =B7 SCHANNEL\Protocols\SSL 2.0\Server
>
> Note that this will affect all SSL connections to/from this box so
> make sure you test thoroughly. SChannel does default to SSL 3.0 and
> RC4 128 if both client and server support it (and almost everything
> does) so I wouldn't expect any issues with the configuration
> recommended by the audit.
>
> HTH.
>
> Dave
>
> On Mar 2, 12:20 pm, Russ
>
>
>
> > Hello,
>
> > We recently got audited and were told that we need to do the
> > following:
>
> > Disable SSLv2. Only SSL3 and TLSv1 should be enabled.
>
> > Also, disable the ciphers EXP-RC4-MD5 and DES-CBC-MD5.
>
> > We're using IIS6.
>
> > Any help in how to do this would be greatly appreciated.
>
> > Thanks,
>
> > Russ- Hide quoted text -
>
> - Show quoted text -