Nessus Output

Description

The remote host supports the use of SSL ciphers that offer medium strength encryption. 
Nessus regards medium strength as any encryption that uses key lengths at least 56 bits and less than 112 bits, or else that uses the 3DES encryption suite.

Note that it is considerably easier to circumvent medium strength encryption if the attacker is on the same physical network.

Solution

Reconfigure the affected application if possible to avoid use of medium strength ciphers.

Use IIS Crypto

IIS Crypto is a free tool that gives administrators the ability to enable or disable protocols, ciphers, hashes and key exchange algorithms on Windows Server 2008, 2012 and 2016. It also lets you reorder SSL/TLS cipher suites offered by IIS, implement best practices with a single click, create custom templates and test your website.

 Solutions

• Ensure NULL Cipher Suites is disabled (Scored)
• Ensure DES Cipher Suites is disabled (Scored)
• Ensure RC2 Cipher Suites is disabled (Scored)
• Ensure RC4 Cipher Suites is disabled (Scored)
• Ensure Triple DES Cipher Suite is configured (Not Scored)

References

• How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll
• SHA512 is disabled in Windows when you use TLS 1.2
• System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing” security setting effects in Windows XP and in later versions of Windows
• Default cipher suites for all Windows Server versions
• Update adds new TLS cipher suites and changes cipher suite priorities in Windows 8.1 and Windows Server 2012 R2
• Testing for SSL-TLS (OWASP-CM-001)
• Supported Cipher Suites and Protocols in the Schannel SSP
• Cipher Suites in TLS/SSL (Schannel SSP)