Disabling weak ciphers

windows-server-2008 security ssl windows-registry

21,244

Guessing the registry keys would be created here.

You don't have to guess. Le Microsoft KB:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel] 
"EventLogging"=dword:00000001 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Ciphers] 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\CipherSuites] 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Hashes] 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\KeyExchangeAlgorithms] 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols] 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0] 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Client] 
"DisabledByDefault"=dword:00000001

So your hunch was close, but note the Ciphers subkey when you want to enable/disable ciphers, and the Protocols subkey when you want to disable/enable entire protocols.

So for instance, if you want to disable RC4, create several new keys, one for each different key size that could be used in RC4:

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128

In each one of those keys, you need to create the new value:

Enabled    REG_DWORD    0

If you wanted to disable, for example, the entire SSL v2 protocol, create the keys:

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server

Inside each key, make two new values:

Enabled              DWORD    0
DisabledByDefault    DWORD    1

Note that these policies only affect applications which link to/call into Schannel.dll... so IIS, Internet Explorer, Remote Desktop, etc. These settings will not affect applications that use other SSL libraries such as OpenSSL.

21,244

user3329963

Updated on September 18, 2022

Comments

user3329963 over 1 year

Does anyone have any experience disabling weak ciphers on Windows Registry? Server doesn't have IIS installed. Below is the results of my security scan but not 100% what registry entries should be added, i've disabled whole protocols via the registry before but never individual ciphers.

Guessing the registry keys would be created here.

HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\

Here is the list of weak SSL ciphers supported by the remote server :

  Low Strength Ciphers (< 56-bit key)

    TLSv1
      EXP-EDH-RSA-DES-CBC-SHA      Kx=DH(512)     Au=RSA      Enc=DES-CBC(40)          Mac=SHA1   export     
      EXP-DES-CBC-SHA              Kx=RSA(512)    Au=RSA      Enc=DES-CBC(40)          Mac=SHA1   export     
      EXP-RC4-MD5                  Kx=RSA(512)    Au=RSA      Enc=RC4(40)              Mac=MD5    export     

The fields above are :

  {OpenSSL ciphername}
  Kx={key exchange}
  Au={authentication}
  Enc={symmetric encryption method}
  Mac={message authentication code}
  {export flag}