DOCUMENT:Q164036 06-MAY-1999 [iis] TITLE :How To Force 128-Bit SSL Connections With IIS 3.0 PRODUCT :Internet Information Server PROD/VER:winnt:3.0 OPER/SYS: KEYWORDS:kbsetup ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Internet Information Server 3.0 ------------------------------------------------------------------------------- IMPORTANT: This article contains information about editing the registry. Before you edit the registry, make sure you understand how to restore it if a problem occurs. For information about how to do this, view the "Restoring the Registry" Help topic in Regedit.exe or the "Restoring a Registry Key" Help topic in Regedt32.exe. SUMMARY ======= Internet Information Server 3.0 has the capability to force a 128-bit SSL connection and reject browsers that attempt to negotiate at a lower encryption level. This feature maximizes the security on connection between the client and server by forcing the highest possible encryption level. This feature is undocumented and unsupported at this time. This feature has not been regression tested; usage in a production environment may cause unpredictable results. MORE INFORMATION ================ The US or Canada version of Schannel.dll must be present on the IIS computer for this feature to work. This DLL is included in the US and Canada versions of Service Pack 2 for Windows NT 4.0. For reference, the version of the DLL should be 4.72.1429.1 or higher. The description should be "US/Canada Only, Not for Export." WARNING: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe. Note that you should back up the registry before you edit it. The following two registry entries will reject any Web browser that does not support 128-bit SSL: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Ciphers\NULL 0/128 Change the value for ENABLED to 0 (HEX) Default Value: 30 (HEX) NOTE: This registry entry will default to 0 in Service Pack 3 for Windows NT. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Ciphers\RC4 40/128 Change the value for ENABLED to 10000 (HEX) Default Value: ffffffff (HEX) After you make the above changes on the IIS computer, the computer MUST be restarted to reinitialize Schannel.dll. The server will now reject any non- 128-bit clients at the beginning of the SSL negotiation. The browser will simply display an error message equivalent to "Connection refused" or "Error in security library." The messages will vary because the connection is dropped suddenly during the negotiation phase. ====================================================================== Keywords : kbsetup Technology : kbiisSearch kbiis300 Version : winnt:3.0 Issue type : kbhowto ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 1999.