I am scanning my Microsoft servers with Tenable's Nessus Security Scanner. All servers involved are Windows 2003 R2 fully patched using WSUS. In a large number of instances I see warning about HTTP and / or HTTPS. These warnings are about weak or medium-strength SSL ciphers. I found the tech note about going into the Web site properties in IIS, going to the Directory Security Tab and checking "Require secure channel" and "Require 128-Bit encryption". What I have seen this do is simply require the use of HTTPS to access the server. Not a complete solution or even usable in some cases. I rescan and yes, the vulnerability on HTTP is no longer seen, but HTTPS is still using the weak or medium ciphers. The other issue is that in a couple cases the system is supporting V2 and in one case V1. Need to eliminate this too. I did found a tech article about a registry hack to define which versions are allowed but it seemed to have no effect when I rescanned the system in question. Any help would be greatly appreciated.

Hi, If I understand correctly, you are trying to configure the server to use the strongest cryptographic algorithms? You can refer to the method in the following KB article: How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dll http://support.microsoft.com/kb/245030 Hope the information is helpful.This posting is provided "AS IS" with no warranties, and confers no rights.

Hi,How are you? I want to check if the suggestion has helped. If you need any further assistance, please do not hesitate to let me know.Thanks.This posting is provided "AS IS" with no warranties, and confers no rights.

The notify feature is not working correctly. I stopped by out of curiosity today and found your post. Never got notified it was here. Will work with it tomorrow. Thanks much for the suggestion and I'll get back to you in a couple days.

I had seen the part on the server and clients under Protocols, but the Ciphers section was actually the key. I've done the process to 2 of the servers with the problem clearing up so I'm fairly confident it will work on the others. Really appreciate the help as I've been pulling my hair out on this one for a number of weeks.

Glad that it helps.Have a nice day.Joson ZhouTechNet Subscriber Support in forumIf you have any feedback on our support, please contact tngfb@microsoft.comThis posting is provided "AS IS" with no warranties, and confers no rights.