Disabling weak ciphers on Windows 2003
- by Kev
For PCI-DSS compliance you have to disable weak ciphers. PCI-DSS permits a minimum cipher size of 128 bits.
However for the highest score (0 I believe) you should only accept 168 bit ciphers but you can still be compliant if you permit 128 bit ciphers.
The trouble is that when we disable all but 168 bit encryption it seems to disable both inbound and out bound secure channels.
For example we'd like to lock down inbound IIS HTTPS to 168 bit ciphers but permit outbound 128 bit SSL connections to payment gateways/services from service applications running on the server (not all payment gateways support 168 bit only we just found out today).
Is it possible to have cipher asymmetry on Windows 2003? I am told it is all or nothing.