1. Install the fix http://support.microsoft.com/kb/948963 which will install the cipher sutes AES 128 and AES 256.
2. The order of cipher suites on Windows 2003 is hard-coded. AES 128 is the highest priority. AES 256 is the next. We only need to disable AES 128 then AES 256 will have the highest priority.
a. Open regedit.exe on IIS 6.0 machine.
b. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers. You should be able to find there are many subkeys, e.g. AES 128/128.
c. In subkey AES 128/128, create a DWORD value “Enabled”. Set it as the value 0. It means we would disable AES 128.
3. Reboot the IIS 6.0 machine.
On Vista/Windows7 which support AES 256 machine, you can use IE to browse that IIS 6.0 web site through HTTPS. The SSL uses 256 bit encryption.
Thanks this article was very helpful to me. There a number of comments on various sites that claim 256 bit encryption is not supported on windows 2003 (although this was the case initially). This page provides the most up to date information.
Hi Xin Jin,
Thanks your article. It is very helpful to me. I also want to ask you about how to disable cipher
Don you may check this article:
245030 How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dll
After installing KB980436 it is not possible to install this hotfix. :(