Disabling RC4 on Windows 2008 R2 Standard Server

iis-7sslwindows-server-2008-r2

I have just used www.ssllabs.com and ran a few tests – my server is capped to a B grade because my server accepts RC4

This server accepts the RC4 cipher, which is weak. Grade capped to B.

I've researched and found that to disable RC4 I need to add 3 keys, and set their enabled dword to 0 Link and Link

I have done this for RC4 40/128, RC 56/128 and RC4 64/128

I then restarted my server. When the server was up again, I verified the Registry Changes were done, and they are – all 3 exist and all 3 have their enabled value set to 0.

I return to ssllabs, clear the cache, re-run the test and it returns the same result (capped to B due to RC4 being enabled).

At this stage, I'm not sure what this means – if SSLLabs showing incorrect results (I'm going to assume not), have I disabled RC 4.

How can I tell if I have successfully disabled RC4

Edit

I also saw the KB about this http://support.microsoft.com/kb/2868725?wa=wsignin1.0 so trying now… I've done the same registry changes but, when I try to download the 64 bit version for W2008 R2 Standard, it fails to install with error message

The update is not applicable to your computer

Best Answer

There is a tool to check the cipher order in a GUI. It works for me every time. (Try it on a test machine if you don't trust the exe.)

Microsoft released a security advisory about RC4 where they explain how to disable RC4 on the client and server side. Now it's best practice to disable RC4.

Don't forget to do the Windows Update in the security advisory because there is a schannel update to do before updating the cipher order.

When the update is done, you can use the tool (IISCrypto), the Microsoft advisory patch, or update the windows registry yourself:

(Be careful. Back up your registry first.)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
"Enabled"=dword:00000000

Related Solutions

Ssl – RC4 cipher not working on Windows 2008 R2 / IIS 7.5

The issue why RC4 isn't working is that is has to be set to 0xfffffff or 4294967295 in the registry, not 1 to enable it.

Here's some PowerShell functions which were used to set our IIS installs up with the PCI compliant:

This function is used to enable/disable required protocols

function Set-IISSecurityProtocols {
$protopath = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols"
& reg.exe add "$protopath\PCT 1.0\Server" /v Enabled /t REG_DWORD /d 00000000 /f
& reg.exe add "$protopath\SSL 2.0\Server" /v Enabled /t REG_DWORD /d 00000000 /f
& reg.exe add "$protopath\SSL 3.0\Server" /v Enabled /t REG_DWORD /d 00000001 /f
& reg.exe add "$protopath\TLS 1.0\Server" /v Enabled /t REG_DWORD /d 00000001 /f
& reg.exe add "$protopath\TLS 1.1\Server" /v Enabled /t REG_DWORD /d 00000001 /f
& reg.exe add "$protopath\TLS 1.1\Server" /v DisabledByDefault /t REG_DWORD /d 00000000 /f
& reg.exe add "$protopath\TLS 1.2\Server" /v Enabled /t REG_DWORD /d 00000001 /f
& reg.exe add "$protopath\TLS 1.2\Server" /v DisabledByDefault /t REG_DWORD /d 00000000 /f
& reg.exe add "$protopath\TLS 1.1\Client" /v Enabled /t REG_DWORD /d 00000001 /f
& reg.exe add "$protopath\TLS 1.1\Client" /v DisabledByDefault /t REG_DWORD /d 00000000 /f
& reg.exe add "$protopath\TLS 1.2\Client" /v Enabled /t REG_DWORD /d 00000001 /f
& reg.exe add "$protopath\TLS 1.2\Client" /v DisabledByDefault /t REG_DWORD /d 00000000 /f

}

And this function is where you set what ciphers are allowed to be used, or not used

function Set-IISSupportedCiphers {
$cipherpath = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers"
& reg.exe add "$cipherpath\NULL" /v Enabled /t REG_DWORD /d 00000000 /f
& reg.exe add "$cipherpath\DES 56/56" /v Enabled /t REG_DWORD /d 00000000 /f
& reg.exe add "$cipherpath\RC2 40/128" /v Enabled /t REG_DWORD /d 00000000 /f
& reg.exe add "$cipherpath\RC2 56/128" /v Enabled /t REG_DWORD /d 00000000 /f
& reg.exe add "$cipherpath\RC2 128/128" /v Enabled /t REG_DWORD /d 00000000 /f 
& reg.exe add "$cipherpath\RC4 40/128" /v Enabled /t REG_DWORD /d 00000000 /f
& reg.exe add "$cipherpath\RC4 56/128" /v Enabled /t REG_DWORD /d 00000000 /f
& reg.exe add "$cipherpath\RC4 64/128" /v Enabled /t REG_DWORD /d 00000000 /f
& reg.exe add "$cipherpath\RC4 128/128" /v Enabled /t REG_DWORD /d 4294967295 /f
& reg.exe add "$cipherpath\Triple DES 168/168" /v Enabled /t REG_DWORD /d 4294967295 /f
& reg.exe add "$cipherpath\AES 128/128" /v Enabled /t REG_DWORD /d 4294967295 /f 
& reg.exe add "$cipherpath\AES 256/256" /v Enabled /t REG_DWORD /d 4294967295 /f

}

Once these changes have been set (A reboot is required afaik) you then can set the priority in which the ciphers are used.

To immune the BEAST vulnerability it's reccomended you used RC4 first as outlined @ http://www.phonefactor.com/blog/slaying-beast-mitigating-the-latest-ssltls-vulnerability.php

This will be the case until either

All browsers patch the BEAST vulnerability
Or everyone starts supporting TLS1.2

Ssl – IBM Domino 8.5.3 and mitigating the BEAST attack on TLS (SSLTest)

Can you check the Blogposting here and say which cipher you have still enabled?

Best Answer

(Be careful. Back up your registry first.)

Related Solutions

Ssl – RC4 cipher not working on Windows 2008 R2 / IIS 7.5

Ssl – IBM Domino 8.5.3 and mitigating the BEAST attack on TLS (SSLTest)

Related Topic