I have just used www.ssllabs.com and ran a few tests – my server is capped to a B grade because my server accepts RC4
This server accepts the RC4 cipher, which is weak. Grade capped to B.
I've researched and found that to disable RC4 I need to add 3 keys, and set their enabled dword to 0 Link and Link
I have done this for RC4 40/128
, RC 56/128
and RC4 64/128
I then restarted my server. When the server was up again, I verified the Registry Changes were done, and they are – all 3 exist and all 3 have their enabled value set to 0.
I return to ssllabs, clear the cache, re-run the test and it returns the same result (capped to B due to RC4 being enabled).
At this stage, I'm not sure what this means – if SSLLabs showing incorrect results (I'm going to assume not), have I disabled RC 4.
How can I tell if I have successfully disabled RC4
Edit
I also saw the KB about this http://support.microsoft.com/kb/2868725?wa=wsignin1.0 so trying now… I've done the same registry changes but, when I try to download the 64 bit version for W2008 R2 Standard, it fails to install with error message
The update is not applicable to your computer
Best Answer
There is a tool to check the cipher order in a GUI. It works for me every time. (Try it on a test machine if you don't trust the exe.)
Microsoft released a security advisory about RC4 where they explain how to disable RC4 on the client and server side. Now it's best practice to disable RC4.
Don't forget to do the Windows Update in the security advisory because there is a
schannel
update to do before updating the cipher order.When the update is done, you can use the tool (IISCrypto), the Microsoft advisory patch, or update the windows registry yourself:
(Be careful. Back up your registry first.)