• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1009
  • Last Modified:

SSL Ciphers IIS 5.0

A recent security scan on an IIS 5.0 box discovered that the server allows weak ciphers.

I found out how to to disable unwanted ciphers, but I am unsure which to disable.

http://support.microsoft.com/default.aspx?scid=kb;en-us;216482

I want to disable anything less than 128-bit encryption.

Suggestions??
0
testtest25
Asked:
testtest25
  • 2
1 Solution
 
spacity69Commented:
I would only enable the ones with 128/128 or higher. RC2 would also be disabled on my servers. You also should only enable SSLv3.

0
 
tmehmetCommented:
Agreed. use 128 and above and you should be ok.

the only thing to watch out for is that if you have users with older browsers, they may not be capable of the higher levels (128+) and by leaving the ciphers it allows clients (eg browsers) to negotiate a lower level of encryption.

Most people dont even realise this.
0
 
spacity69Commented:
True, the user just asked about 128 though. I usually leave a export 40 bit enabled with a step up certificate then have the webserver display a nice message saying hey you need 128 bit ssl to use the rest of my site.

I use Iplanet web servers though not iis :)
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now