IIS 6.0 mitigating BEAST

ssl iis-6

Recently, my PCI assessor informed me that my servers are vulnerable to BEAST and failed me. I did my homework and I want to change our webservers to prefer RC4 ciphers over CBC. I followed every guide I could find...

I changed my reg keys for my weaker than 128bit encryption to Enabled = 0. completely removed the reg keys for the weaker encryptions. I downloaded IISCrypto and unchecked everything but RC4 128 ciphers and triple DES 168.

My webserver still prefers AES-256SHA. Is there a trick in IIS 6.0 to get your webservers to prefer RC4 ciphers that I am not figuring out? It seems like in IIS 7 they made this very easy to fix but that doesn't help me now!


MSDN article on BEAST mitigation

From the link above:

NOTE: Unfortunately the above solution doesn’t apply to Windows Server 2003/Windows XP, the cipher suites prority is hard coded. On Windows Server 2003, they will probably have to disable the CBC based ciphers; however this might cause incompatibility with clients trying to connect to these servers.

Also worth noting: if the SSL is only being used on something other than a website (email client, vpn, etc) it is not vulnerable to BEAST attacks. The client must be connecting with a browser.

MS12-006 implemented a method of mitigating BEAST for XP/2003 machines, but some client applications may have issues. See this MSDN article for details.

Related

Web Server Routing Based On Location
Procurve Primary VLAN
Linux tc Traffic Shaping for IPv6
mount.ocfs2: Transport endpoint is not connected while mounting...?
"Fail back" behavior of the Active Directory KCC when using redundant higher cost site links to a DR site
Should a connection pooler be run on my database server or my app server?
Redis reload configuration changes without restarting service
How to configure rudder-agent?
Ubuntu to list relevant security advisories
How can I configure openvpn to proxy traffic only for processes that bind to the tun interface?
How can I allow the user "postgres" on one server to rsync to another?
How to tell a Performance Monitor Data Collector Set to regularly generate Reports?