Disable DES-CBC-SHA in schannel

Question

I have several IIS servers in house This includes IIS 6 and 7.x. When I have my external PCI scans run I'm still receiving alerts for having the weak protocol DES-CBC-SHA enabled.

I have the following registry keys set to disable weak protocols. My understanding was that shutting this protocol off this was included under the DES entry on the top line.

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
Ciphers/DES 56/56:  Enabled=0
Ciphers/RC2 40/128: Enabled=0
Ciphers/RC4 40/128: Enabled=0
Protocols/SSL 2.0/Server: Enabled=0
Protocols/PCT 1.0/Server: Enabled=0

My report indicates that this protocol is enabled for both TLSv1 and SSLv3.

What if anything am I missing in my settings that would make this display? How can I diagnose this internally to verify the scan is accurate?

score 5 · Accepted Answer · edited Mar 17 '17 at 10:46

Assuming IIS 7.x the settings you're looking for are located here: Start > gpedit.msc > Computer Configuration > Admin Templates > Network > SSL Configuration Settings > SSL Cipher Suite Order

To set the order in such a way as to eliminate your issues, check my answer here: How to fix SSL 2.0 and BEAST on IIS

Also, though I doubt it's as comprehensive as your PCI compliance scans, you can check your setup at Qualys SSL Labs Server Test as an indicator of how you're progressing with the fix.

Unfortunately these settings are baked in for IIS 6.0 with no solution available.

This is applicable to IIS7, not IIS6 – GlennG Dec 17 '12 at 09:57 — GlennG, Dec 17 '12 at 09:57

Disable DES-CBC-SHA in schannel

1 Answers1