Wednesday, February 16, 2011

Forcing Internet Explorer 7 & 8 into regulatory requirements by using 256-bit AES

We have a few business clients needing to be Federal compliant. We sometimes need a conviencing argument away from Microsoft's Home Products.

Changing the SSL cipher order in Internet Explorer 7 on Windows Vista by Steve Riley on Security
Formerly of Microsoft's Trustworthy Computing Group.

We configure IE to use shorter bit lengths -- but never shorter than 128 bits, except for the last two that use no encryption -- because it gives you better performance than the longer bit lengths. In almost all cases, a 128-bit key is more than sufficient to protect the information you're exchanging over HTTPS.

However, if you require something longer, and want to change the default, you can. Here's how.

1. Open your group policy editor by entering gpedit.msc at a command prompt.
2. Choose Computer Configuration | Administrative Templates | Network | SSL Configuration Settings.
3. There's only one item here: SSL Cipher Suite Order. Open it.
4. Select Enabled.
5. Now here's where you need to tread carefully. You'll see that the list is the same as above, but rather than formatted nicely with carriage returns, they're simply separated with commas. The first item in the list is:
TLS_RSA_WITH_AES_128_CBC_SHA
And the second item is:
TLS_RSA_WITH_AES_256_CBC_SHA
Cursor your way through the list. Change that first 128 to 256. Then cursor forward a bit more and change the 256 to 128.
6. Feel free to change other orders, too, but keep your changes within algorithm types.
7. OK your way out, close the group policy editor, and reboot.

No comments:

Post a Comment