Setting Encryption Strength

You can configure your Web server to require a 128-bit minimum session-key strength, rather than the default 40-bit key strength, for all SSL secure communication sessions. If you set a minimum 128-bit key strength, however, users attempting to establish a secure communications channel with your server must use a browser capable of communicating with a 128-bit session key.

Important

Due to export restrictions, the 128-bit key strength encryption feature is available only in the United States and Canada. For information about upgrading to 128-bit encryption capability, visit the Windows 2000 Server support Web site at http://support.microsoft.com/support/.
When you set security properties for a specific Web site, you automatically set the same security properties for directories and files belonging to that site, unless the security properties of those individual directories and files have been set previously.
Your Web server will prompt you for permission to reset the properties of individual directories and files when you attempt to set security properties for your Web site. If you choose to reset these properties, your previous security settings will be replaced by the new settings. The same condition applies when you set security properties for a directory containing subdirectories or files with previously set security properties. For more information about setting properties, see Properties and Inheritance of Properties on Sites in About Web and FTP Sites.

To set encryption strength

Note You cannot establish secure, encrypted communications unless you have installed a valid server certificate. See Using the New Security Task Wizards and Obtaining a Server Certificate for more information.

In the Internet Information Services snap-in, select a Web site, directory, or file, and open its property sheets.
If you have not previously created a server key pair and certificate request, select the Directory Security or File Security property sheet. Under Secure Communications, click Server Certificate. The new Web Server Certificate Wizard will guide you through the procedure. For more information about the new wizard, see Using the New Security Task Wizards.
If you have previously created a server key pair and certificate request, select the Directory Security or File Security property sheet. Under Secure Communications, click Edit.
In the Secure Communications dialog box, select the Require secure channel (SSL) check box.
Select the Require 128-bit Encryption check box if this level of encryption is required.
Click OK.

Note The session key is not the same as an SSL key pair, which is used to negotiate and establish a secure communication link.

Server-Gated Cryptography

Server-Gated Cryptography (SGC) offers financial institutions the solution for worldwide secure financial transactions using 128-bit encryption. SGC is an extension of Secure Sockets Layer (SSL) that allows financial institutions with export versions of IIS to use strong encryption.

Server-Gated Cryptography does not require an application running on the client's browser and can be utilized by standard export versions of IIS, version 4.0 or later. A server configured for SGC can facilitate both 128-bit and 40-bit encryption sessions, so multiple versions of IIS are not required. Although SGC capabilities are built into IIS 4.0 and later versions, a special SGC certificate is required to use SGC. Contact your certification authority for availability information. For more information about SGC, see Server-Gated Cryptography (SGC) at http://www.microsoft.com/security/tech/sgc.

Note If you open your SGC certificate, you might receive a notice on the General tab saying, "The certificate has failed to verify for all of its intended purposes." This notice is issued because of the way SGC certificates interact with Windows 2000 and does not necessarily indicate that the certificate does not work properly.