We help IT Professionals succeed at work.

pci compliance helps

Attached screenshot is what we have for the web server.  It is just IIS window 2012.
Do you have any ideas which one should be checked?

currentwe host our web server in house, and we recently require to work with pci compliance vendor to get compliance.
After it is scanned, we have just 5 issues related to Cipher in our web server.
do you know any tools we can use and hope to get it fixed? below is one of those.


Impact
The remote service accepts connections encrypted using SSL 2.0 and/or SSL 3.0. These versions of SSL are affected by several cryptographic flaws, including: - An insecure padding scheme with CBC ciphers. - Insecure session renegotiation and resumption schemes. An attacker can exploit these flaws to conduct man-in-the-middle attacks or to decrypt communications between the affected service and clients. Although SSL/TLS has a secure means for choosing the highest supported version of the protocol (so that these versions will be used only if the client or server support nothing better), many web browsers implement this in an unsafe way that allows an attacker to downgrade a connection (such as in POODLE). Therefore, it is recommended that these protocols be disabled entirely. NIST has determined that SSL 3.0 is no longer acceptable for secure communications. As of the date of enforcement found in PCI DSS v3.1, any version of SSL will not meet the PCI SSC's definition of 'strong cryptography'. See also : https://www.schneier.com/academic/paperfiles/paper-ssl.pdf http://www.nessus.org/u?b06c7e95 http://www.nessus.org/u?247c4540 https://www.openssl.org/~bodo/ssl-poodle.pdf http://www.nessus.org/u?5d15ba70 https://www.imperialviolet.org/2014/10/14/poodle.html https://tools.ietf.org/html/rfc7507 https://tools.ietf.org/html/rfc7568

Resolution
Consult the application's documentation to disable SSL 2.0 and 3.0. Use TLS 1.1 (with approved cipher suites) or higher instead.
Comment
Watch Question

Exec Consultant
Distinguished Expert 2019
Commented:
Should try to load the best practice of PCI 3.2 that the tool supports but not it may break the RDP connection from clients as they may be using TLS1.0 still.

The practice will disable TLS 1.0 and 1.1 which may break client connections to your website. Once apply do a reboot too.

These are under the OS setting and you should get the latest patch updated as well.