SSL RC4 in TLS weak

I ran an SSL test on my domain and I got the following :

TLS_RSA_WITH_RC4_128_SHA (0x5)   WEAK

IE 6 / XP   No FS 1        No SNI 2       Protocol or cipher suite mismatch  

RC4 Yes   WEAK (more info)  

Should I disable RC4 from TLS ?  I downloaded a tool called IIS Crypto which allows me to uncheck items I shouldn't use, it also has templates for:

PCI
FIPS 140-2

Should I use those or simply uncheck RC4 ?

Screenshot of utility to configure SSL
LVL 1
AleksAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
yes you should disable RC4 though initially it seems alright against a threat called BEAST attack, see  
.....Unfortunately, the only way to mitigate the BEAST attack is to enforce the use of RC4 suites whenever TLS 1.0 and earlier protocols are used (which is most of the time at this point).

I say "unfortunately", because very shortly after we had started requiring server-side mitigations, new research about RC4 came out and we found out that this cipher was much weaker than previously thought. The weaknesses were not of immediate concern, but it was clear that RC4 was on the way out.
You should also disable MD5 which is a weak hash though SHA is better but also weak. Go for MD5 disable first then. SHA is going to be relinquished in 2016 and SHA2 family is the way forward. Also can minimally stay with TLS1.0.

Overall see the iiscrypto FAQ
What is the Best Practices cipher suite order?

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521
 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384
 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256
 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521
 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384
 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256
 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521
 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384
 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256
 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521
 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384
 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256
 TLS_RSA_WITH_AES_256_GCM_SHA384
 TLS_RSA_WITH_AES_128_GCM_SHA256
 TLS_RSA_WITH_AES_256_CBC_SHA256
 TLS_RSA_WITH_AES_256_CBC_SHA
 TLS_RSA_WITH_AES_128_CBC_SHA256
 TLS_RSA_WITH_AES_128_CBC_SHA
 TLS_RSA_WITH_3DES_EDE_CBC_SHA
https://www.nartac.com/Products/IISCrypto/FAQ.aspx
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
AleksAuthor Commented:
Will the SSL certificate still work with RC4 and MD5 disabled ?
0
btanExec ConsultantCommented:
no you have to put a new SSL CSR to get the right crypto in that SSL server cert .. no way out once the iiscrypto enforce the OS policy on the support algo (e.g. Schannel crypto). otherwise, you will not be able to get a better score. Or have a proxy in front of the web server to serve out the  new SSL cert on behalf but that is false sense of security really ... some use application delivery controller like F5 and Citrix boxes
0
AleksAuthor Commented:
I disabled both and the website comes up with no problems. I am able to login, etc. Then I ran the score again and got "A" instead of "B" .. I guess you can.
0
AleksAuthor Commented:
Thanks
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Encryption

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.