sweet32 bug pci compliance

seven45 used Ask the Experts™
We keep failing the pci compliance.   have already disabled the recommended ciphers and protocols except for TLS 1.0 (but i believe it breaks RDP when disabled on the SBS2011 server).
we're failing the following:
443 TCP WWW service:  SSL 64 bit block size cipher suites supported. and Medium Strenght cipher suites supported.

Dont want to use the cryptoIIS tool as I'm not certain if it'll break other things in an SBS 2011 environment.   I'm trying to do one of the following as a mitigation solution (that i need your help on).    Can anyone give me steps to applying one of the mitigation factors below?

Mitigations Against SWEET32
The authors of the paper recommend three main ways to dealing with SWEET32 attack:
All web servers should be configured to prefer 128-bit (or higher) ciphers.
3DES should be offered by web browsers as fallback-only, even if the servers prefer 3DES over AES for encrypted connections.
TLS libraries should limit the length of TLS sessions with a 64-bit cipher.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Exec Consultant
Distinguished Expert 2018
Weak ciphers such as RC4, DES, 3DES, etc. should be disabled in SSL configuration and strong ciphers such as AES should be enabled, for security.

Locate the following security registry key:

Go to the ‘SCHANNEL\Ciphers subkey’, which is used to control the ciphers such as DES and RC4.

Edit the subkey ‘SCHANNEL\Ciphers\Triple DES 168’ and set the DWORD value data to 0x0.

The above is to disable the 3DES cipher from your Windows server.

Registry edits should done very carefully and server restart maybe required for the updates to come into effect.
btanExec Consultant
Distinguished Expert 2018

As per advice given.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial