If you have been reading the blog lately you know I've been making configuration settings on my web servers to make my SSL implementation PCI compliant. I even made a video about it on my weekly video podcast Tech Chop. The thing is I didn't have any Windows 2008 R2 web servers in my environment, but I will pretty soon. That means I had to figure out how to basically set the same things in Windows 2008 R2.
In Windows 2003 in order to disable all weak ciphers, and pretty much any cipher except RC4 in order to mitigate the BEAST attack, you had to make registry changes. In Windows 2008 R2, you have to do this by creating a group policy. For this post, I'll just make a local group policy.
- Click WIN + R > type gpedit.msc and click OK
- Navigate to Computer Configuration > Administrative Templates > Network > SSL Configuration Settings
- Open SSL Cipher Suite Order and click the Enabled radio button
- In the Cipher Suites Box paste in TLS_RSA_WITH_RC4_128_SHA then click OK
After that is set, just reboot. Now if you run a scan using something like SSLTest, you will see that your server is only using RC4 128 Bit Encryption which is not susceptible to the BEAST attack.
True, you can just disable all versions of SSL and TLS except TLS 1.1 and TLS 1.2, but if you have users that use browsers that don't support the newer TLS versions, like Firefox for example, then you will still want to be able to use SSL 3 and TLS 1. By limiting the cipher used to only RC4, you can still be PCI compliant, and protected from the BEAST!