PCI scan fails Security Metrics

Posted on 2012-09-11
Last Modified: 2012-09-28

I have been researching this for a week now and have tried everything, even the advice from a similar question here on EE.  I am running a website on a Windows 2008 R2 Standard server running IIS7.  My PCI scan fails because these block ciphers need to be disabled:
> Cipher_Strength: HIGH
>       Proto   Cipher       Encryption
>       -------------------------------
>       TLSv1 : AES256-SHA : 256
>       TLSv1 : AES128-SHA : 128
>       TLSv1 : DES-CBC3-SHA : 168
>       SSLv3 : DES-CBC3-SHA : 168
Sounds simple enough, but I can't seem to find a definite answer on this.  Any help is greatly appreciated.

Question by:W2Market
    LVL 25

    Accepted Solution

    LVL 2

    Assisted Solution

    You are not alone....Actually I have contacted Microsoft on this same issue and security metrics keeps pointing to MS10-049 which has been superceeded by 10-085 then again by MS12-006 ( I did send this to security metrics as well).  By the way if you do disable the ciphers there is a good chance that RDP will no longer work.

    Here is what Microsoft said

    I did some research on this and came across a few blog posts related to the identified ciphers.  Please review them at your convenience and let me know if you have additional questions.  Keep in mind, these blog posts are nearing a year old (although they have been updated to reflect MS12-006) so it is curious why your vendor would just now point them out.  From what I have read, it looks like as long as you have installed MS12-006 and MS11-099 you should have little exposure to this vulnerability.  However, we do recommending using TLS 1.1 and 1.2 if possible, and if the vendor requires you to disable the ciphers to be PCI compliant, you may need to do so. Regardless, the vendor should update their scan to more clearly identify the vulnerability rather than simply pointing you to MS10-049.  Thanks. (Review the FAQ)

    Author Closing Comment

    Both of you were really helpful but it was Tony1044's link to

    which really solved the issue.  Not only did I have to disable the Ciphers in the registry I also had to eliminate them from the priority list as well.  As long as they were available in that list, Security Metrics was seeing them as available.

    The IIS crypto program made it really easy to apply these registry changes.

    LVL 25

    Expert Comment

    Glad to have helped. These things can be a pain sometimes.


    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    by Nathan Brom/Bromy2004 Introduction There are numerous websites out there for any different type of program you can imagine.  Of those, you'll need to decide which ones are legitimate and aren't trying to steal your money or infect your comput…
    The way I use Experts Exchange to assist me in analyzing and diagnosing a problem is I first enter a Verbose Question at Experts Exchange like: Office 2007 will hang when opening and saving files I then launch WordPad (any text editor will do) an…
    Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
    With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

    732 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    24 Experts available now in Live!

    Get 1:1 Help Now