Saturday 26 November 2011

Disabling Low ciphers in IIS 6.0

I discussed yesterday that we had done some security hardening for our IIS 6.0 servers. In essence, we have disabled Low ciphers, i.e. those with a key length shorter than 128 bits as well as SSL 2.0. 
For some annoying reason you have to actually disable the ciphers by creating the Enabled Dword key and setting it to 0. If it's not there, the system will assume that it's ok to use it the cipher.

You can copy and paste the text in italics to a file, save it with .reg extension and then simply double click on it to apply to your server.
Windows Registry Editor Version 5.00 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000

No comments:

Post a Comment