IIS6 PCI Scan Fix: BEAST Cipher Suite

TL;DR

Your IIS6 server is failing a PCI scan due to the BEAST cipher suite being enabled. This guide shows you how to disable it quickly and securely.

Understanding the Problem

The BEAST (Browser Exploit Against SSL/TLS) attack exploits vulnerabilities in older TLS versions (specifically SSL 3.0 and TLS 1.0) when using RC4 cipher suites. PCI DSS requires you to disable these vulnerable protocols and ciphers.

Solution: Disable SSL 3.0, TLS 1.0 & Weak Ciphers

1. Open IIS Manager: Launch Internet Information Services (IIS) Manager from the Control Panel or by typing ‘inetmgr’ in the Run dialog box (Windows key + R).
2. Select Server Level: In the Connections pane on the left, click on your server name.
3. Open SSL Settings: Double-click “SSL Settings” in the Features View.
4. Disable SSL 3.0:
   • Uncheck the box next to “Allow SSL 3.0”.
5. Disable TLS 1.0:
   • Uncheck the box next to “Allow TLS 1.0”.
6. Configure Cipher Suites: Click on “Cipher Suites” in the Features View.
   • Remove any cipher suites that use RC4. Common RC4 ciphers include:
     • RC4_128
     • RC4_56
   • Ensure strong cipher suites are enabled, such as those using AES (Advanced Encryption Standard). A good starting point is to only allow the following:
     • TLS_AES_128_GCM_SHA256
     • TLS_AES_256_GCM_SHA384
     • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
     • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
7. Restart IIS: In the Actions pane on the right, click “Restart” to restart your web server. This is crucial for the changes to take effect.

   iisreset

8. Verify Configuration (Optional): Use an online SSL checker tool (like SSL Labs) to confirm that SSL 3.0 and TLS 1.0 are disabled, and only strong cipher suites are enabled.
9. Re-scan: Run your PCI scan again to verify the issue is resolved.

Important Considerations

• Compatibility: Disabling SSL 3.0 and TLS 1.0 may cause compatibility issues with very old browsers or systems. Test thoroughly before making changes in a production environment.
• Prioritize Security: Always prioritize security over compatibility when possible.
• Regular Updates: Keep your IIS server updated with the latest security patches.