Sign in
Microsoft.com
 
Windows Server TechCenter
 
 
 
Windows Server TechCenter > Windows Server Forums > Security > Recommended Registry Settings for Disabling Weak Ciphers are not working?
Ask a questionAsk a question
Search Forums:
 

QuestionRecommended Registry Settings for Disabling Weak Ciphers are not working?

  • Wednesday, October 28, 2009 6:00 PMlca1630 Users MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    0
    Sign In to Vote

    This issue is killing me, but for some reason even though I've followed the MS KB articles and am sure that the reg keys are set correctly I'm still failing PCI tests due to weak SSL 3.0 and TLS 1.0 ciphers. (of course SSl 2.0 and PCT 1.0 are disabled) Below are my registry settings, as you can see they are set correctly. The server has been restarted. Has anyone come across an issue like this before?

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
    "Enabled"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]
    "Enabled"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128]
    "Enabled"=dword:ffffffff

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
    "Enabled"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]
    "Enabled"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
    "Enabled"=dword:ffffffff

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
    "Enabled"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
    "Enabled"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168]
    "Enabled"=dword:ffffffff

     

All Replies

  • Thursday, October 29, 2009 6:53 AMJoson ZhouMSFT, ModeratorUsers MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    0
    Sign In to Vote

    Hi,

     

    Thanks for your post.

     

    To disable SSLv3 weak encryption and enforce the use of SSLv3/TLS 128-bit encryption, please follow the steps below:

     

    1. To prohibit the use of the protocols other than SSL 3.0 or TLS 1.0, change the DWORD value data of the Enabled value to 0x0 in each of the following registry keys under the Protocols key:

     

    • SCHANNEL\Protocols\PCT 1.0\Client

    • SCHANNEL\Protocols\PCT 1.0\Server

    • SCHANNEL\Protocols\SSL 2.0\Client

    • SCHANNEL\Protocols\SSL 2.0\Server

     

    2. Enable only RC4 128/128 by setting its Enabled value to 0xffffffff.

     

    3. Disable ALL of the unwanted ciphers by changing the DWORD value data of the Enabled value to 0x0.

     

    NOTE: If you do not configure the Enabled value, the default is enabled.

     

    4. Enable SHA by setting the Enabled value to 0xffffffff in SCHANNEL\Hashes\SHA Subkey.

     

    5. Disable MD5 by setting the Enabled value to 0x0 in SCHANNEL\Hashes\MD5 Subkey.

     

    For more information, please refer to the following KB article:

     

    How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dll

    http://support.microsoft.com/kb/245030/

     

    After that, please run the PCI test again and check the result. If the issue contines, please export the output of the PCI test and the definition of the weaker cipher and paste here for further research.

     

    Thanks.

     

    Joson Zhou

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com

    This posting is provided "AS IS" with no warranties, and confers no rights.
     
  • Thursday, November 05, 2009 7:13 AMJoson ZhouMSFT, ModeratorUsers MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    0
    Sign In to Vote
    Hi,

    How are things going? We have not heard back from you in a few days and wanted to check on the status of the issue. If you need further assistance, please feel free to respond back.

    Thanks.

    Joson Zhou
    This posting is provided "AS IS" with no warranties, and confers no rights.
     
  • Thursday, November 05, 2009 9:02 PMlca1630 Users MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    0
    Sign In to Vote
    Thanks Joson!

    Sorry I haven't replied, the reply notification never came. Maybe I must forgot to check the box. Anyways, I have had the documented steps above configured for some time, but its has come to light that possibly our use of an ISA firewall may be causing the registry settings to be ignored. We are currently looking into the possible dangers of making these chnages on the firewall that is responsible for publishing the site. We also encountered issues with disabling the MD5 hash in regards to our internal crm/website integration. So in other words we are still looking into how to get around the PCI failures without breakng the other things we have in place.

    Nik
     
  • Friday, November 06, 2009 2:53 AMJoson ZhouMSFT, ModeratorUsers MedalsUsers MedalsUsers MedalsUsers MedalsUsers Medals
     
    Sign In to Vote
    0
    Sign In to Vote
    Hi,

    Could you please export the output of the PCI test and the definition of the weaker cipher, and then paste here for further research?

    Thanks.
    This posting is provided "AS IS" with no warranties, and confers no rights.