Ask Learn
Preview
Please sign in to use this experience.
Sign inNote
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
3 steps:
1. Install the fix https://support.microsoft.com/kb/948963 which will install the cipher sutes AES 128 and AES 256.
2. The order of cipher suites on Windows 2003 is hard-coded. AES 128 is the highest priority. AES 256 is the next. We only need to disable AES 128 then AES 256 will have the highest priority.
a. Open regedit.exe on IIS 6.0 machine.
b. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers. You should be able to find there are many subkeys, e.g. AES 128/128.
c. In subkey AES 128/128, create a DWORD value “Enabled”. Set it as the value 0. It means we would disable AES 128.
3. Reboot the IIS 6.0 machine.
On Vista/Windows7 which support AES 256 machine, you can use IE to browse that IIS 6.0 web site through HTTPS. The SSL uses 256 bit encryption.
Regards,
Xin Jin
- Anonymous
August 24, 2010
Thanks this article was very helpful to me. There a number of comments on various sites that claim 256 bit encryption is not supported on windows 2003 (although this was the case initially). This page provides the most up to date information. - Anonymous
March 22, 2011
Hi Xin Jin,Thanks your article. It is very helpful to me. I also want to ask you about how to disable cipherTLS_RSA_EXPORT1024_WITH_DES_CBC_SHATLS_RSA_EXPORT1024_WITH_RC4_56_SHATLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5TLS_RSA_EXPORT_WITH_RC4_40_MD5TLS_RSA_WITH_DES_CBC_SHATLS_RSA_WITH_RC4_128_MD5TLS_RSA_WITH_RC4_128_SHAThanks,Don - Anonymous
April 03, 2011
Don you may check this article:245030 How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dllsupport.microsoft.com/default.aspx - Anonymous
April 20, 2011
After installing KB980436 it is not possible to install this hotfix. :(