10:00 AM
El DiPablo
I've written a number of posts on making your servers PCI compliant. It's one of the many duties I'm tasked with at my day job. The hardest part in my opinion is getting your SSL certificates squared away.
In Windows 2003 you had to manually edit the registry to disable ciphers and protocals. In Windows 2008 and above you have to set a local security policy to modify the cipher suite order. It's all a bit of a pain.
Well I found a free tool that lets you make the necessary changes with the click of a button. It's called IIS Crypto! From their page:
IIS Crypto is a free tool that gives administrators the ability to enable or disable protocols, ciphers, hashes and key exchange algorithms on Windows Server 2003, 2008 and 2012. It also lets you reorder SSL/TLS cipher suites offered by IIS and mitigate the BEAST attack.Here is a screen shot:
I originally found this tool because I was looking to see if there was a way to avoid restricting all ciphers to 128 bit RC4 on Windows 2003. I was hoping this tool would allow me to change the cipher order, but sadly it just isn't supported in Server 2003, so restricting all ciphers to 128 bit RC4 is still the only way to mitigate against The BEAST.
In Windows Server 2008 R2 at least it makes changing the SSL Cipher Suite order super easy.
All-in-all it's still a great tool for making your servers compliant, and more secure.
