PCI scan fails Security Metrics


I have been researching this for a week now and have tried everything, even the advice from a similar question here on EE.  I am running a website on a Windows 2008 R2 Standard server running IIS7.  My PCI scan fails because these block ciphers need to be disabled:
> Cipher_Strength: HIGH
>       Proto   Cipher       Encryption
>       -------------------------------
>       TLSv1 : AES256-SHA : 256
>       TLSv1 : AES128-SHA : 128
>       TLSv1 : DES-CBC3-SHA : 168
>       SSLv3 : DES-CBC3-SHA : 168
Sounds simple enough, but I can't seem to find a definite answer on this.  Any help is greatly appreciated.

Who is Participating?
Tony JLead Technical ArchitectCommented:
You are not alone....Actually I have contacted Microsoft on this same issue and security metrics keeps pointing to MS10-049 which has been superceeded by 10-085 then again by MS12-006 ( I did send this to security metrics as well).  By the way if you do disable the ciphers there is a good chance that RDP will no longer work.

Here is what Microsoft said

I did some research on this and came across a few blog posts related to the identified ciphers.  Please review them at your convenience and let me know if you have additional questions.  Keep in mind, these blog posts are nearing a year old (although they have been updated to reflect MS12-006) so it is curious why your vendor would just now point them out.  From what I have read, it looks like as long as you have installed MS12-006 and MS11-099 you should have little exposure to this vulnerability.  However, we do recommending using TLS 1.1 and 1.2 if possible, and if the vendor requires you to disable the ciphers to be PCI compliant, you may need to do so. Regardless, the vendor should update their scan to more clearly identify the vulnerability rather than simply pointing you to MS10-049.  Thanks.

http://technet.microsoft.com/en-us/security/bulletin/ms12-006 (Review the FAQ)
W2MarketAuthor Commented:
Both of you were really helpful but it was Tony1044's link to

which really solved the issue.  Not only did I have to disable the Ciphers in the registry I also had to eliminate them from the priority list as well.  As long as they were available in that list, Security Metrics was seeing them as available.

The IIS crypto program made it really easy to apply these registry changes.

Tony JLead Technical ArchitectCommented:
Glad to have helped. These things can be a pain sometimes.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.