IIS 6.0 mitigating BEAST

Recently, my PCI assessor informed me that my servers are vulnerable to BEAST and failed me. I did my homework and I want to change our webservers to prefer RC4 ciphers over CBC. I followed every guide I could find...

I changed my reg keys for my weaker than 128bit encryption to Enabled = 0. completely removed the reg keys for the weaker encryptions. I downloaded IISCrypto and unchecked everything but RC4 128 ciphers and triple DES 168.

My webserver still prefers AES-256SHA. Is there a trick in IIS 6.0 to get your webservers to prefer RC4 ciphers that I am not figuring out? It seems like in IIS 7 they made this very easy to fix but that doesn't help me now!


MSDN article on BEAST mitigation

From the link above:

NOTE: Unfortunately the above solution doesn’t apply to Windows Server 2003/Windows XP, the cipher suites prority is hard coded. On Windows Server 2003, they will probably have to disable the CBC based ciphers; however this might cause incompatibility with clients trying to connect to these servers.

Also worth noting: if the SSL is only being used on something other than a website (email client, vpn, etc) it is not vulnerable to BEAST attacks. The client must be connecting with a browser.

MS12-006 implemented a method of mitigating BEAST for XP/2003 machines, but some client applications may have issues. See this MSDN article for details.