We have a web server running IIS on Windows Server 2008 R2 x64. A PCI scan on the server failed because of BEAST vulnerability. The recommended fix is to disable all block-based cipher suites or configure SSL to prefer RC4 ciphers over block-based ciphers. I want to tread carefully so that we still allow users to our web site to achieve secure connections.
First, I'm wondering if our system is already patched. I've seen lots of discussion about how Microsoft has addressed this in Security Bulletin MS12-006 and fixed this in KB2585542. I have confirmed that KB2585542 is installed on the server. So did the PCI scan maybe find a false positive, or is there still a vulnerability beyond what is fixed in the KB? I'm fairly certain that there's still a vulnerability because a separate scan from ssllabs.com also flags a BEAST vulnerability while other web sites are fine.
The way to change the cipher suite order seems to be using Group Policy > Computer Configuration > Administrative Templates > Network > SSL Configuration Settings > SSL Cipher Suite Order. My questions are:
1) What is the best order to use?
2) How do I know which ones are block-based ciphers?
3) When I set the cipher suite order, if the list that I provide excludes any, does that mean that IIS will no longer support that cipher?
Assuming the answer to #3 is Yes:
4) How can I know what we risk by removing a cipher? For example, if I remove cipher XYZ, then Windows XP running IE6 will not be able to connect to the secure server.
5) By setting the cipher suite order to a specific list, am I preventing the server from supporting newer better cipher suites that become available in the future (e.g. when installing a service pack or upgrading to a newer OS)?
I appreciate your guidance through this. I have not had to administer cipher suites until now.
Cam