Disabling weak ciphers on Windows 2003
Posted
by
Kev
on Server Fault
See other posts from Server Fault
or by Kev
Published on 2011-02-10T13:11:54Z
Indexed on
2011/03/07
0:12 UTC
Read the original article
Hit count: 472
For PCI-DSS compliance you have to disable weak ciphers. PCI-DSS permits a minimum cipher size of 128 bits.
However for the highest score (0 I believe) you should only accept 168 bit ciphers but you can still be compliant if you permit 128 bit ciphers.
The trouble is that when we disable all but 168 bit encryption it seems to disable both inbound and out bound secure channels.
For example we'd like to lock down inbound IIS HTTPS to 168 bit ciphers but permit outbound 128 bit SSL connections to payment gateways/services from service applications running on the server (not all payment gateways support 168 bit only we just found out today).
Is it possible to have cipher asymmetry on Windows 2003? I am told it is all or nothing.
© Server Fault or respective owner