Disabling weak ciphers on Windows 2003

Posted by Kev on Server Fault See other posts from Server Fault or by Kev
Published on 2011-02-10T13:11:54Z Indexed on 2011/03/07 0:12 UTC
Read the original article Hit count: 477

For PCI-DSS compliance you have to disable weak ciphers. PCI-DSS permits a minimum cipher size of 128 bits.

However for the highest score (0 I believe) you should only accept 168 bit ciphers but you can still be compliant if you permit 128 bit ciphers.

The trouble is that when we disable all but 168 bit encryption it seems to disable both inbound and out bound secure channels.

For example we'd like to lock down inbound IIS HTTPS to 168 bit ciphers but permit outbound 128 bit SSL connections to payment gateways/services from service applications running on the server (not all payment gateways support 168 bit only we just found out today).

Is it possible to have cipher asymmetry on Windows 2003? I am told it is all or nothing.

© Server Fault or respective owner

Related posts about windows-server-2003

Related posts about ssl