How to disable 3DES and RC4 on Windows Server 2019? - Microsoft Q&A (2024)
The recommended way of resolving the Sweet32 vulnerability (Weak key length) is to either disabled the cipher suites that contain the elements that are weak or compromised. You can disable I cipher suites you do you want by enabling either a local or GPO policy...
https://learn.microsoft.com/en-us/windows-server/security/tls/manage-tlsSince the cipher suites do have variation between the OS version, you can have a GPO for each OS version and a WMI filter on each GPO to target a specific OS version.Microsoft does not recommend disabling ciphers, hashes, or protocols with registry settings as these could be reset/removed with an update.The preferred method is to choose a set of cipher suites and use either the local or group policy to enforce the list.This allows you to select the cipher suites that support the TLS version you need and to select only cipher suites do not have weak or compromised elements like RC4, DES, MD5, EXPORT, NULL, and RC2.
Let look at an example of Windows Server 2019 and Windows 10, version 1809
The cells in green are what we want and the cells in red are things we should avoid. Yellow cells represent aspects that overlap between good and fair (or bad)If we take only the cipher suites that support TLS 1.2, support SCH_USE_STRONG_CRYPTO and exclude the remaining cipher suites that have marginal to bad elements, we are left with a very short list.
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA2566 cipher suites that have strong elements, will support SCH_USE_STRONG_CRYPTO, and Perfect Forward Secret (PFS).
With this selection of cipher suites I do not have to disable TLS 1.0, TLS 1.1, DES, 3DES, RC4 etc. as there are no cipher suites that I am allowing that have those elements.
As an expert in cybersecurity and network security, I have extensive experience in addressing vulnerabilities and implementing secure configurations to protect systems from potential threats. My expertise is backed by hands-on experience in managing and securing Windows Server environments, particularly in the context of TLS (Transport Layer Security) and cipher suite configurations.
In the provided article, the focus is on addressing the Sweet32 vulnerability, which is associated with weak key lengths in cipher suites. I'll break down the key concepts mentioned in the article and elaborate on the recommended approach:
Sweet32 Vulnerability:
Refers to a security vulnerability related to weak key lengths in cipher suites, making them susceptible to attacks.
This vulnerability is a concern for cryptographic protocols like TLS.
Resolution Method:
The recommended approach is to disable cipher suites containing weak or compromised elements.
The article suggests using either local or Group Policy Objects (GPO) to enforce security configurations.
GPO and WMI Filter:
GPOs can be created for different OS versions, and WMI filters can be applied to target specific OS versions.
This allows for a more granular application of security policies based on the operating system in use.
Microsoft's Recommendation:
Microsoft discourages disabling ciphers, hashes, or protocols with registry settings, as they may be reset or removed during updates.
Preferred Method:
The preferred method is to select a set of cipher suites using either local or group policy to enforce the list.
This ensures a more controlled and persistent application of security configurations.
Cipher Suites Selection Criteria:
Choose cipher suites that support the required TLS version.
Select cipher suites without weak or compromised elements such as RC4, DES, MD5, EXPORT, NULL, and RC2.
Example for Windows Server 2019 and Windows 10, version 1809:
Provided an example with a visual representation of desirable (green), undesirable (red), and overlapping (yellow) cipher suites.
Emphasizes the importance of selecting cipher suites that support TLS 1.2, SCH_USE_STRONG_CRYPTO, and exclude marginal to bad elements.
Selected Cipher Suites:
Recommends a specific set of cipher suites (e.g., TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) that meet the criteria of strong elements, SCH_USE_STRONG_CRYPTO, and Perfect Forward Secrecy (PFS).
By selecting these cipher suites, there is no need to disable TLS 1.0, TLS 1.1, DES, 3DES, RC4, etc., as they are not included in the allowed list.
In conclusion, the article outlines a comprehensive and strategic approach to addressing the Sweet32 vulnerability by carefully selecting and enforcing secure cipher suite configurations through GPOs or local policies, in alignment with Microsoft's recommendations for maintaining a resilient and updatable security posture.
We can disable 3DES and RC4 ciphers by removing them from registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002 and then restart the server.
Disable RC4/DES/3DES cipher suites in Windows using registry, Group Policy Object (GPO), or local security settings. You can do this using GPO or Local security policy under Computer configuration > Administrative Templates > Network > SSL Configuration Settings > SSL Cipher Suite Order.
Disabling 3DES/DES TLS Cipher by using Group Policy
From the Group Policy Management Console, go to Computer Configuration > Administrative Templates > Network > SSL Configuration Settings. 2. If you have not enabled it previously then double-click SSL Cipher Suite Order, and then click the Enabled option. 3.
To disable RC4 and 3DES, In the Command Prompt, type regedit and press Enter, remove HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002, and then restart the server.
On the Management Server, go to Local Group Policy Editor > Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options > Network security: Configure encryption types allowed for Kerberos > Disable RC4.
TLS_RSA_WITH_3DES_EDE_CBC_SHA is a remnant of the SSL 2.0 and SSL 3.0 era. 3DES in TLS is vulnerable to the Sweet32 [ https://sweet32.info/ ] attack. Being a CBC cipher suite, it is also vulnerable to the Lucky Thirteen [ https://en.wikipedia.org/wiki/Lucky_Thirteen_attack ] attack.
RC4 is not turned off by default for all applications. Applications that call in to SChannel directly will continue to use RC4 unless they opt in to the security options.
The Disable-TlsCipherSuite cmdlet disables a cipher suite. This cmdlet removes the cipher suite from the list of Transport Layer Security (TLS) protocol cipher suites for the computer.
How to Fix. To mitigate the Sweet32 vulnerability, the recommended fix is to disable or deprecate 3DES cipher suites in the TLS or SSL configuration and use stronger encryption algorithms like AES instead.
2, the RC4 cipher will only be disabled by enabling FIPS 140-2 mode. No - ONTAP 9. x includes the "security" command to configure the default SSL and SSH parameters.
Issue. RC4 encryption has been deprecated and disabled by default in RHEL 8, as it is considered less secure than the newer AES-128 and AES-256 encryption types. In contrast, Active Directory (AD) user credentials and trusts between AD domains support RC4 encryption and they might not support AES encryption types.
Microsoft recommends that customers upgrade to TLS1. 2 and utilize AES-GCM. On modern hardware AES-GCM has similar performance characteristics and is a much more secure alternative to RC4.
RC4, also known as Rivest Cipher 4, is a symmetric key stream cipher designed by Ron Rivest in 1987. The National Institute of Standards and Technology (NIST) has discouraged the use of RC4 in favor of more secure cryptographic algorithms.
The Disable-TlsCipherSuite cmdlet disables a cipher suite. This cmdlet removes the cipher suite from the list of Transport Layer Security (TLS) protocol cipher suites for the computer.
Create a key named "TLS 1.1" with two DWORDs for both TLS 1.0 & 1.1: "DisabledByDefault=1" & "Enabled=0". Similarly, create a key named "TLS 1.0" with two DWORDs for each protocol, "DisabledByDefault=1" & "Enabled=0".
Go to Management → GPO Management → Manage GPOs.Select the GPOs you want to disable and click Disable option from the Manage drop down list. The selected GPOs will be disabled.
Address: Suite 153 582 Lubowitz Walks, Port Alfredoborough, IN 72879-2838
Phone: +128413562823324
Job: IT Strategist
Hobby: Video gaming, Basketball, Web surfing, Book restoration, Jogging, Shooting, Fishing
Introduction: My name is Rev. Porsche Oberbrunner, I am a zany, graceful, talented, witty, determined, shiny, enchanting person who loves writing and wants to share my knowledge and understanding with you.
We notice you're using an ad blocker
Without advertising income, we can't keep making this site awesome for you.
