Security assessment: Weak cipher usage

Important

Threat protection product names from Microsoft are changing. Read more about this and other updates here. We'll be updating names in products and in the docs in the near future.

What are weak ciphers?

Cryptography relies on ciphers to encrypt our data. For example, RC4 (Rivest Cipher 4 also known as ARC4 or ARCFOUR meaning Alleged RC4) is one. While RC4 is remarkable for its simplicity and speed, multiple vulnerabilities have been discovered since the original release of RC4, rendering it insecure. RC4 is especially vulnerable when the beginning of the output key stream is not discarded, or when non-random or related keys are used.

How do I use this security assessment to improve my organizational security posture?

  1. Review the security assessment for weak cipher usage. Review weak cipher usage assessment
  2. Research why the identified clients and servers are using weak ciphers.
  3. Remediate the issues and disable use of RC4 and/or other weak ciphers (such as DES/3DES).
  4. To learn more about disabling RC4, see the Microsoft Security Advisory.

Note

This assessment is updated in near real time.

Remediation

Disable clients and servers that you want to stop from using RC4 cipher suites by setting the following registry keys. Once disabled, any server or client that communicates with another client or server that requires use of RC4 can then prevent a connection from occurring. Clients where this setting is deployed will be unable to connect to sites that require RC4, and servers that deploy this setting will be unable to service clients that require use RC4.

Note

Make sure to test the following settings in a controlled environment before enabling them in production.

  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128] "Enabled"=dword:00000000
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128] "Enabled"=dword:00000000
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128] "Enabled"=dword:00000000

To learn more about downloading and updating the registry edits, see the Microsoft Security Advisory.

Next steps