Enabling cipher TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) on Windows Server 2003+ISA 2006

Vesper asked:

I have been given a task to disable all “weak” ciphers/protocols on our very old ISA server based on Windows Server 2003. I have disabled all protocols but TLS1.0, and all ciphers but RC2/128, RC4/128 and Triple DES 168/168. But Qualys SSL Labs test utility does not display me that I have a 3DES encryption available on my ISA server. The only cipher suites listed are:

TLS_RSA_WITH_RC4_128_MD5 (0x4)  
TLS_RSA_WITH_RC4_128_SHA (0x5) 

This KB says that when Triple DES 168 cipher is enabled, the TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher suite is available. However, it is not. We need this cipher suite to allow a Windows 8.1 Phone connecting to ActiveSync published by this ISA. What could be the reason of 3DES encryption to be unavailable in this configuration, and what should we do in order to allow the connection for a Windows 8.1 phone without being vulnerable to POODLE?

EDIT: There was apparently a server-side malfunction of some sort, a reboot fixed 3DES availability, although the same KB states that registry change should have worked at once. I’ve got another server with the same problem, got it fixed with registry modification only, though.

My answer:


If your registry change didn’t take effect immediately, then just restart your computer.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.