How to Disable Weak Ciphers in IIS 6

By Chris Hoffman

Microsoft's Internet Information Services 6, or IIS 6, Web server is included with professional and server editions of Windows XP and 2003. IIS supports encryption for securely transmitting Web pages and information over the Internet, including passwords, credit card numbers and other private data. IIS 6 supports weak ciphers for backwards-compatibility with outdated Web browsers, but supporting weak ciphers allows sensitive data to be transmitted in an insecure manner. Disabling the weak ciphers ensures Web browsers use strong encryption on your website.

Step 1

Open the Registry Editor by clicking "Start," clicking "Run," typing "Regedit" into the Run box and pressing "Enter."

Step 2

Navigate to the "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\" key in the left pane of the Registry Editor by clicking the plus sign to the left of each key.

Step 3

Disable the "DES 56/56," "NULL," "RC2 40/128," "RC2 56/128," "RC4 40/128," "RC4 56/128" and "RC4 64/128" subkeys. For each subkey, click the key's name, right-click in the right pane of the Registry Editor, click "New," click "DWORD Value," type "Enabled," press "Enter," double-click the "Enabled" key, type "0" into the "Value Data" box and click "OK."

Step 4

Restart the computer by clicking "Start," "Turn Off" and "Restart."