I need to disable insecure cypher suites on a server with Windows Server 2012 R2 to pass a PCI vulnerability scan. From the research I've done it seems this is to done in IIS with some registry updates, and I've compiled a list and ran them.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128]
"Enabled"=dword:00000000
After applying the above, restarting, and re-running the scan, it still fails the test as having RC4 suites enabled. So i did some more digging and a google search revealed a patch for SCHANNEL: KB2868725, so i tried installing that but it was incompatible with the system (RC2 has it installed already).
After that I tried IIS Crypto, which already showed R4 cyphers disabled (via the registry keys i changed earlier) but I turned on PCI mode and it disabled a bunch more suites / ciphers. After a restart I was optimistic but a scan still is still failing.
It seems from additional research that 2012 R2 should have the functionality to disable RC4 built in, and IIS should honour this, but its not doing so, so I don't know where to go from here.
If any one else comes across this scratching their head, it wasn't an issue with the server hosting IIS. If you have any load balancing or reverse proxies in front of the server that have RC4 enabled, it will also fail the scan.