Our server failed the last PCI scan.   The description of the problem is below my questions.

Windows Server 2008

According to Qualys Security Labs one method to correct this to change the priority of the cipher suite, putting RC4 at the top of the list.

Is this information correct?

To change the order of the Cipher do I do this in group policy?

I believe I have to disable SSL2 also. (I think I did that but I will have to reboot and retest to verify)

Thanks

Mitigating the BEAST attack on TLS

https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls

This fixes the clients?

MS12-006: Vulnerability in SSL/TLS could allow information disclosure: January 10, 2012

Security Warning found on port/service "smtp (25/tcp)"

Security Warning found on port/service "https (443/tcp)"

Status
  Fail (This must be resolved for your device to be compliant).
 
    Plugin
   "SSL/TLS Protocol Initialization Vector Implementation Information Disclosure Vulnerability"

 
    Category
   "General "
 
 
    Priority
   "Medium Priority
 
    Synopsis
 
    It may be possible to obtain sensitive information from the remote host with SSL/TLS-enabled services.
 
 
    Description
     A vulnerability exists in SSL 3.0 and TLS 1.0 that could allow information disclosure if an attacker intercepts encrypted traffic served from an affected system.
TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected.
This script tries to establish an SSL/TLS remote connection using an affected SSL version and cipher suite, and then solicits return data. If returned application data is not fragmented with an empty or one-byte record, it is likely vulnerable.
OpenSSL uses empty fragments as a countermeasure unless the 'SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS' option is specified when OpenSSL is initialized.
Microsoft implemented one-byte fragments as a countermeasure, and the setting can be controlled via the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHAN
NEL\SendExtraRecord.
Therefore, if multiple applications use the same SSL/TLS implementation, some may be vulnerable while others may not, depending on whether or not a countermeasure has been enabled.
Note that this script detects the vulnerability in the SSLv3/TLSv1 protocol implemented in the server. It does not detect the BEAST attack where it exploits the vulnerability at HTTPS client-side (i.e., Internet browser). The detection at server-side does not necessarily mean your server is vulnerable to the BEAST attack because the attack exploits the vulnerability at client-side, and both SSL/TLS clients and servers can independently employ the split record countermeasure.

ee also:
 
 http://www.openssl.org/~bodo/tls-cbc.txt
 
 
 http://vnhacker.blogspot.com/2011/09/beast.html
 
 http://technet.microsoft.com/en-us/security/bulletin/ms12-006
 
 http://support.microsoft.com/kb/2643584
 
 http://blogs.msdn.com/b/kaushal/archive/2012/01/21/fixing-the-
 
 
 
    Risk factor
    Medium / CVSS Base Score : 4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N) CVSS Temporal Score : 3.6 (CVSS2#E:F/RL:OF/RC:C) Public Exploit Available : true
 
 
 
 
 Plugin
output
      Negotiated cipher suite: AES128-SHA|TLSv1|Kx=RSA|Au=RSA|Enc=AES(128)|Mac=SHA1
 
 
     CVE:
 
  CVE-2011-3389
 
 Addition Information
  
  
 
 
 
 
 
 
 
 
 
    Configure SSL/TLS servers to only use TLS 1.1 or TLS 1.2 if supported. Configure SSL/TLS servers to only support cipher suites that do not use block ciphers. Apply patches if available.
Note that additional configuration may be required after the  installation of the MS12-006 security update in order to enable the split-record countermeasure.

 
     See also:
 
 http://support.microsoft.com/kb/2643584
 
 
 for
 
 details.