Partager via


Setting Encryption Strength

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1

You can configure your Web server to require a 128-bit minimum session-key strength for all Secure Sockets Layer (SSL) communications. This is the default session-key strength for Microsoft Windows Server 2003.

If you set a minimum 128-bit key strength, users attempting to establish a secure communications channel with your server must use a browser capable of communicating with a 128-bit session key. The session key is not the same as an SSL key pair, which is used to negotiate and establish a secure communication link. For information about upgrading browsers to 128-bit encryption capability, see How to Upgrade Internet Explorer to 128-Bit Encryption on the Windows Support Web site.

To establish encrypted communications, you must have a valid server certificate installed.

Important

You must be a member of the Administrators group on the local computer to perform the following procedure or procedures. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run IIS Manager as an administrator. At a command prompt, type runas /User:Administrative_AccountName "mmc systemroot\system32\inetsrv\iis.msc".

Procedures

To set encryption strength

  1. In IIS Manager, double-click the local computer, and then right-click the Web site, directory, or file that you want and click Properties.

  2. On the Directory Security or File Security tab, under Secure Communications, click Edit.

  3. In the Secure Communications box, select the Require secure channel (SSL) check box.

  4. If 128-bit encryption is required, select the Require 128-bit Encryption check box.

  5. Click OK.

Note

If you open a Server Gated Cryptography (SGC) certificate, you might receive a notice on the General tab that reads as follows: "The certificate has failed to verify for all of its intended purposes." This notice is issued because of the way SGC certificates interact with Windows, and does not necessarily indicate that the certificate does not work correctly.