SSL/TLS Cipher Priority
I am working on trying to make sense of what is required for both PCI DSS compliance as well as FIPS compliance in relation to SSL/TLS cipher suites. I have been reading the guide here and here. However, I have not been able to find anything that states what order or priority I should list the ciphers in. I can see which ones I need to use and disable, but I assume that there is a priority that should be followed for them as well. This is primarily for Windows servers and then later I would look at performing the same to Linux servers running Apache.
It depends on the version of Windows/IIS. In 2003 (IIS 6) and earlier, this can't be done. You can only enable/disable ciphers. In Windows 2008 (IIS 7) and later, you can do this through a GPO (if you're domain joined, and I'm guessing this server isn't if it's PCI compliant).
More info here: http://technet.microsoft.com/en-us/library/cc766285(v=ws.10).aspx
Why would you assume that there's a priority needed?
No compliance standard that I've ever heard of has recommended a specific priority; after all, if a cipher's insecure, it should be turned off instead of just de-prioritized.
That said, preferring RC4 over CBC-constructed ciphers might be wise until TLS 1.1 is widely deployed; see CVE-2011-3389.