Question : Weak Ciphers IIS

I have been trying to discontinue the use of "weak SSL Ciphers" in IIS 6, but I'm not exactly sure how to accomplish this.  

The text below comes from a security testing site that performed an analysis on our site

Synopsis : The remote service supports the use of weak SSL ciphers. Description : The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all. See also : http://www.openssl.org/docs/apps/ciphers .html Solution: Reconfigure the affected application if possible to avoid use of weak ciphers. Risk Factor: Medium  / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Plugin output : Here is the list of weak SSL ciphers supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv2 EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export SSLv3 EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}

Given the above, how exactly can I go about correcting this problem?

Answer : Weak Ciphers IIS

Open "regedit" and find the key

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers.

This will have a number of other subkeys below it.  Next we will want to disable anything that has a number less than 128 in it.  I.E. RC2 40/128 we will disable but RC2 128/128 we will not.  To disable the cipher click on the subkey that you want to disable and create a new DWORD value named "Enabled".  In the value data keep it 0 in Hex.  This will disable the cipher from being able to run.  You could also create a registry import like the following.

(From: http://www.curtis-lamasters.com/2008/06/21/windows-iis-ssl-restrict-weak-ciphers/)