Best practice for systems running IIS, part of Hardening IIS:
Manual verification
Ensure the following key do not exist or is set to 0xFFFFFFFF:
REG QUERY "HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168" /v "Enabled" |
Implement Recommended Configuration
Set Registry key
REG ADD "HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168" /f /v "Enabled" /t REG_DWORD /d 0xFFFFFFFF |
Use IIS Crypto
IIS Crypto is a free tool that gives administrators the ability to enable or disable protocols, ciphers, hashes and key exchange algorithms on Windows Server 2008, 2012 and 2016. It also lets you reorder SSL/TLS cipher suites offered by IIS, implement best practices with a single click, create custom templates and test your website.
Nessus audit file check
<custom_item> type : REGISTRY_SETTING description: "IIS800041:Disable Weak Cipher Suites - 'HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168\Enabled = ffffffff':IIS8" value_type : POLICY_DWORD reg_key : "HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168" reg_item : "Enabled" value_data : 4294967295 reg_option : CAN_BE_NULL </custom_item> |