How to restrict the use of certain ciphers in Internet Information Services 5.0 (241447)


The information in this article applies to:

  • Microsoft Internet Information Services 5.0
This article was previously published under Q241447
IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry

SUMMARY

When you use Internet Information Services (IIS) 5.0, you may want to restrict the use of certain ciphers that are used in secure communications (such as SSL or TLS). For example, you may want to ensure that the Triple DES encryption algorithm (cipher) is not used because it requires more of the CPU's time than RC4 does.

MORE INFORMATION

To restrict the use of a cipher, perform the following steps:

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
  1. Start Registry Editor (Regedt32.exe).
  2. Locate the following key in the registry:

    HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/SecurityProviders/SCHANNEL/Ciphers

  3. Under this key, all the ciphers currently used by Schannel for secure communications are listed. Select the one you want to disable and expand the key.
  4. You should see a DWORD value under the key called "Enabled." Depending on the cipher you have selected, this value will either be set to "ffffffff" or "00000000" ("ffffffff" means enabled, "00000000" means disabled).

    Note Be sure that you change it to reflect a hexadecimal value (this should already be the setting).
  5. When you set this value, restart the Web services so the change can take affect. Open a command prompt (Cmd.exe) and run Iisreset.exe to restart the Web server and its dependant services. Note that your site (and those services restarting) will be unavailable until IISRESET completes.
Note Cipher Suite 1 and 2 are not supported in IIS 5.0.
Modification Type:MajorLast Reviewed:6/24/2004
Keywords:kbinfo KB241447
©2004 Microsoft Corporation. All rights reserved.