How to disable 3DES and RC4 on Windows Server 2019?

Kartheen E 46 Reputation points
2021-04-07T18:34:51.51+00:00

Could some let me know How to disable 3DES and RC4 on Windows Server 2019? and is there any patch for disabling these. I am trying to fix this vulnerability CVE-2016-2183.

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,049 questions
Accepted answer
  1. Daisy Zhou 18,551 Reputation points Microsoft Vendor
    2021-04-08T03:16:31.347+00:00

    Hello @Kartheen E ,

    Thank you for posting here.

    Could some let me know How to disable 3DES and RC4 on Windows Server 2019?
    A: We can check all the ciphers on one machine by running the command.

    Get-TlsCipherSuite >c:\cipher.txt

    Or we can check only 3DES cipher or RC4 cipher by running commands below.

    85573-des.png

    85459-rc4.png

    We can disable 3DES and RC4 ciphers by removing them from registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002 and then restart the server.

    For example in my lab:
    85520-rc1.png

    I am sorry I can not find any patch for disabling these.

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    3 people found this answer helpful.

4 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Dave Patrick 426K Reputation points MVP
    2021-04-07T20:28:53.28+00:00

    Something here may help.
    https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/restrict-cryptographic-algorithms-protocols-schannel

    --please don't forget to Accept as answer if the reply is helpful--

    0 comments
  2. Michael Maxey 27 Reputation points Microsoft Employee
    2023-04-04T14:22:21.8+00:00

    The recommended way of resolving the Sweet32 vulnerability (Weak key length) is to either disabled the cipher suites that contain the elements that are weak or compromised. You can disable I cipher suites you do you want by enabling either a local or GPO policy...

    https://learn.microsoft.com/en-us/windows-server/security/tls/manage-tls Since the cipher suites do have variation between the OS version, you can have a GPO for each OS version and a WMI filter on each GPO to target a specific OS version. Microsoft does not recommend disabling ciphers, hashes, or protocols with registry settings as these could be reset/removed with an update. The preferred method is to choose a set of cipher suites and use either the local or group policy to enforce the list. This allows you to select the cipher suites that support the TLS version you need and to select only cipher suites do not have weak or compromised elements like RC4, DES, MD5, EXPORT, NULL, and RC2.

    Let look at an example of Windows Server 2019 and Windows 10, version 1809
    User's image

    The cells in green are what we want and the cells in red are things we should avoid. Yellow cells represent aspects that overlap between good and fair (or bad) If we take only the cipher suites that support TLS 1.2, support SCH_USE_STRONG_CRYPTO and exclude the remaining cipher suites that have marginal to bad elements, we are left with a very short list.

    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 6 cipher suites that have strong elements, will support SCH_USE_STRONG_CRYPTO, and Perfect Forward Secret (PFS).

    With this selection of cipher suites I do not have to disable TLS 1.0, TLS 1.1, DES, 3DES, RC4 etc. as there are no cipher suites that I am allowing that have those elements.

    4 people found this answer helpful.
    0 comments
  3. Arun Nair 11 Reputation points
    2021-12-25T23:20:55.407+00:00

    There are couple of different places where they exist
    In addition to where @Daisy Zhou mentioned HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002 the other location is as below
    "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002\"
    Once removed from there it doesn't reports any more
    Before:
    160398-image.png

    After:
    160491-2021-12-26-10-20-03.png

    2 people found this answer helpful.
    0 comments
  4. s c 11 Reputation points
    2022-06-08T20:23:07.413+00:00

    FWIW and for the Lazy Admins, you can use IIS Crypto to do this for you.
    209643-untitled.png
    On Schannel, you just click best practices and then uncheck Triple DES 168, click apply without reboot.
    209605-untitled.png
    Then on Cipher Suites, make sure TLS_RSA_WITH_3DES_EDE_CBC_SHA is unchecked. Apply if you made changes and reboot when permitted to take the change.
    With GPO you can try to disable the Medium Strength Ciphers via GPO settings under Computer Configuration > Administrative Templates > Network > SSL Configuration Settings but it might break something if you have applications using these Ciphers.
    You could theoretically use a GPO to make the same registry changes for you and apply to whatever OU, but this method scares me.
    Always a good idea to take a backup before any changes.

    Best of luck.

    2 people found this answer helpful.
    0 comments