How to Restrict the Use of Certain Ciphers in Internet Information Services 5.0

ID: Q241447

This article discusses a Beta release of a Microsoft product. The information in this article is provided as-is and is subject to change without notice.

No formal product support is available from Microsoft for this Beta product. For information about obtaining support for a Beta release, please see the documentation included with the Beta product files, or check the Web location from which you downloaded the release.
The information in this article applies to:
  • Microsoft Internet Information Services version 5.0
IMPORTANT: This article contains information about editing the registry. Before you edit the registry, make sure you understand how to restore it if a problem occurs. For information about how to do this, view the "Restoring the Registry" Help topic in Regedit.exe or the "Restoring a Registry Key" Help topic in Regedt32.exe.

SUMMARY

When you use Internet Information Services (IIS) 5.0, you may want to restrict the use of certain ciphers that are used in secure communications (such as SSL or TLS). For example, you may want to ensure that the Triple DES encryption algorithm (cipher) is not used because it requires more of the CPU's time than RC4 does.


MORE INFORMATION

To restrict the use of a cipher, perform the following steps:

WARNING: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.

For information about how to edit the registry, view the "Changing Keys and Values" Help topic in Registry Editor (Regedit.exe) or the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe. Note that you should back up the registry before you edit it. If you are running Windows NT, you should also update your Emergency Repair Disk (ERD).

  1. Start Registry Editor (Regedt32.exe).


  2. Locate the following key in the registry:
    HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/SecurityProviders/SCHANNEL/Ciphers


  3. Under this key, all the ciphers currently used by Schannel for secure communications are listed. Select the one you want to disable and expand the key.


  4. You should see a DWORD value under the key called "Enabled." Depending on the cipher you have selected, this value will either be set to "ffffffff" or "000000f0" ("ffffffff" means enabled, "000000f0" means disabled).

    NOTE: Be sure that you change it to reflect a hexadecimal value (this should already be the setting).


  5. When you set this value, restart the Web services so the change can take affect. Open a command prompt (Cmd.exe) and run Iisreset.exe to restart the Web server and its dependant services. Note that your site (and those services restarting) will be unavailable until IISRESET completes.


Additional query words: iis cipher disable 


Keywords          : 
Version           : winnt:5.0
Platform          : winnt 
Issue type        : kbinfo


Last Reviewed: September 17, 1999
© 1999 Microsoft Corporation. All rights reserved. Terms of Use.