sweet32 bug pci compliance

Hi,
We keep failing the pci compliance.   have already disabled the recommended ciphers and protocols except for TLS 1.0 (but i believe it breaks RDP when disabled on the SBS2011 server).
we're failing the following:
443 TCP WWW service:  SSL 64 bit block size cipher suites supported. and Medium Strenght cipher suites supported.

Dont want to use the cryptoIIS tool as I'm not certain if it'll break other things in an SBS 2011 environment.   I'm trying to do one of the following as a mitigation solution (that i need your help on).    Can anyone give me steps to applying one of the mitigation factors below?

Mitigations Against SWEET32
The authors of the paper recommend three main ways to dealing with SWEET32 attack:
All web servers should be configured to prefer 128-bit (or higher) ciphers.
3DES should be offered by web browsers as fallback-only, even if the servers prefer 3DES over AES for encrypted connections.
TLS libraries should limit the length of TLS sessions with a 64-bit cipher.
seven45Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
Weak ciphers such as RC4, DES, 3DES, etc. should be disabled in SSL configuration and strong ciphers such as AES should be enabled, for security.

Locate the following security registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

Go to the ‘SCHANNEL\Ciphers subkey’, which is used to control the ciphers such as DES and RC4.

Edit the subkey ‘SCHANNEL\Ciphers\Triple DES 168’ and set the DWORD value data to 0x0.

The above is to disable the 3DES cipher from your Windows server.

Registry edits should done very carefully and server restart maybe required for the updates to come into effect.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
As per advice given.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SBS

From novice to tech pro — start learning today.