AnsweredAssumed Answered

Disabled ciphers with IISCrypto still show up on SSLLabs Scan

Question asked by Ricky Hites on Jan 31, 2018
Latest reply on Feb 14, 2018 by Rob Moss

I'm running IIS on 2008 R2, 2012 R2, and 2016 Servers.  We're currently using a GPO to remove weak ciphers and put them in the optimal order.  We receive an A when scanning our sites, however, today I noticed that it's still showing that we're using ciphers that i have definitely removed either by the GPO or manually with the IIS Crypto tool.  For some reason, SSLLabs still shows them and marks them as weak. 

 

As an example, I removed all the TLS_RSA ciphers and am only sing TLS_ECDHE ciphers, which should all be strong I believe.  The TLS_RSA ciphers still show up in my scan.  I've seen a few other posts where users reference a Registry edit.  Is that what I'm missing?  And if so, what is the point of using the IIS Crypto tool and/or a GPO to configure cipher preference/order if you aren't actually removing the weak ciphers in the process?  I guess I'm just not seeing the connection.  Any information will be greatly appreciated.  

Outcomes