Identify and disable weak cipher suites Windows server 2008 / IIS 7
The solution was given to me on Security.StackExchange :
Using "IIS CRYPTO" on the server allowed me to visualize the cipher suites and very easily remove the weak ones.
DonQi
Updated on June 15, 2022Comments
-
DonQi almost 2 years
i'm asking a question on a subject that is pure chinese to me..sorry in advance
A security scan result prior to the deployment of a web application on windows server 2008 R2 has raised the below message :
Weak SSL Cipher Suites are Supported
Reconfigure the server to avoid the use of weak cipher suites. The configuration changes are server-specific.
SSLCipherSuite HIGH:MEDIUM:!MD5!EXP:!NULL:!LOW:!ADH
For Microsoft Windows Vista, Microsoft Windows 7, and Microsoft Windows Server 2008, remove the cipher suites that were identified as weak from the Supported Cipher Suite list by following these instructions:
http://msdn.microsoft.com/en-us/library/windows/desktop/bb870930(v=vs.85).aspx
I've tried undertsanding the msdn information but i'm totally lost in there.
first of all I do not undertsand which is the cipher suite that should be removed or disabled.
and then, how am I suppose to run the code given as example to remove a cipher suite?
#include <stdio.h> #include <windows.h> #include <bcrypt.h> void main() { SECURITY_STATUS Status = ERROR_SUCCESS; LPWSTR wszCipher = (L"TLS_RSA_WITH_RC4_128_SHA"); Status = BCryptRemoveContextFunction( CRYPT_LOCAL, L"SSL", NCRYPT_SCHANNEL_INTERFACE, wszCipher); }again sorry for total lack of knowledge here!