locked
How to Diable RC4 is Windows 2012 R2 RRS feed

  • Question

  • 333

    313  38601SSL/TLS use of weak RC4 cipher -- not sure how to FIX the problem.  It doesn't seem like a MS patch will solve this.

    • Windows 2012 R2 – Reg settings applied (for a Windows 2008 R2 system)  and this problem is no longer seen by the GVM scanner – BUT, THESE REGISTRY SETTINGS DO NOT APPLY TO WINDOWS 2012 R2. 

    Does this update apply to Windows 8.1, Windows Server 2012 R2, or Windows RT 8.1?  
    No. This update does not apply to Windows 8.1, Windows Server 2012 R2, or Windows RT 8.1 because these operating systems already include the functionality to restrict the use of RC4.

    https://technet.microsoft.com/en-us/library/security/2868725.aspx

    So, how to you disable RC4 on Windows 2012 R2?????  Anyone know?

    Friday, July 24, 2015 1:47 PM

Answers

  • Hi,

    Please create below RC4 folders in the registry path shown below. Set Enabled = 0.

    -Umesh.S.K

    • Edited by Umesh S K Saturday, July 25, 2015 1:10 PM
    • Proposed as answer by Steven_Lee0510 Monday, July 27, 2015 7:24 AM
    • Marked as answer by y2kBug_sp7 Monday, July 27, 2015 12:17 PM
    Saturday, July 25, 2015 1:07 PM
  • 333

    313  38601SSL/TLS use of weak RC4 cipher -- not sure how to FIX the problem.  It doesn't seem like a MS patch will solve this.

    • Windows 2012 R2 – Reg settings applied (for a Windows 2008 R2 system)  and this problem is no longer seen by the GVM scanner – BUT, THESE REGISTRY SETTINGS DO NOT APPLY TO WINDOWS 2012 R2. 

    Does this update apply to Windows 8.1, Windows Server 2012 R2, or Windows RT 8.1?  
    No. This update does not apply to Windows 8.1, Windows Server 2012 R2, or Windows RT 8.1 because these operating systems already include the functionality to restrict the use of RC4.

    https://technet.microsoft.com/en-us/library/security/2868725.aspx

    So, how to you disable RC4 on Windows 2012 R2?????  Anyone know?

    For security-specific questions like this, I recommend the dedicated security forum:
    https://social.technet.microsoft.com/Forums/en-US/home?forum=winserversecurity

    This topic (Disabling RC4) is discussed several times there.

    Also, note that Advisory 2868725 and KB 2868725 both explain that the ability to restrict/disable RC4, is different from actively/actually restricting/disabling RC4. More information here: https://support.microsoft.com/en-au/kb/245030

    First, apply the update if you have an older OS (WS2012R2 already includes the ability).
    Second, apply the relevant registry keys, to all OS versions, to actively/actually disable RC4.
    If you only apply the update (to an older OS), or, you already have WS2012R2, this does not disable RC4 - you must have both the necessary binary files *AND* also set the registry keys.

    So, to answer your question : "how to you disable RC4 on Windows 2012 R2?" - the answer is: set the relevant registry keys.


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)


    • Edited by DonPick Sunday, July 26, 2015 12:28 AM
    • Proposed as answer by Steven_Lee0510 Monday, July 27, 2015 7:25 AM
    • Marked as answer by y2kBug_sp7 Monday, July 27, 2015 12:16 PM
    Sunday, July 26, 2015 12:27 AM
  • Hi,

    Please follow the link below to restrict the RC4 ciphers:

    https://support.microsoft.com/en-us/kb/245030

    I tested it in my Windows Server 2012R2, it works for me.

    Best Regards.


    Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    • Marked as answer by y2kBug_sp7 Monday, July 27, 2015 12:16 PM
    Monday, July 27, 2015 7:44 AM

All replies

  • Can you try using IISCrypto tool?

    https://www.nartac.com/Products/IISCrypto/

    -Umesh.S.K

    Friday, July 24, 2015 2:18 PM
  • Thank you for the response. However, I can not install third party tools in my OS build environment. At work, we are very careful about introducing internet tools on our network.

    Does this update apply to Windows 8.1, Windows Server 2012 R2, or Windows RT 8.1?  
    No. This update does not apply to Windows 8.1, Windows Server 2012 R2, or Windows RT 8.1 because these operating systems already include the functionality to restrict the use of RC4.

    If these operating system already include the functionaility to restrict the use of RC4, how do you do it??

    Should I apply https://support.microsoft.com/en-us/kb/2868725 these registry settings for Windows 2008 R2?  If so, why does MS have this above note?  That the OS already includes the functionailioty to restrict RC4?

    Clients and servers that do not want to use RC4 regardless of the other party’s supported ciphers can disable RC4 cipher suites completely by setting the following registry keys. In this manner, any server or client that is talking to a client or server that must use RC4 can prevent a connection from occurring. Clients that deploy this setting will be unable to connect to sites that require RC4, and servers that deploy this setting will be unable to service clients that must use RC4. 
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
      "Enabled"=dword:00000000
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
      "Enabled"=dword:00000000
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
      "Enabled"=dword:00000000

    Friday, July 24, 2015 2:36 PM
  • Hi,

    Please create below RC4 folders in the registry path shown below. Set Enabled = 0.

    -Umesh.S.K

    • Edited by Umesh S K Saturday, July 25, 2015 1:10 PM
    • Proposed as answer by Steven_Lee0510 Monday, July 27, 2015 7:24 AM
    • Marked as answer by y2kBug_sp7 Monday, July 27, 2015 12:17 PM
    Saturday, July 25, 2015 1:07 PM
  • 333

    313  38601SSL/TLS use of weak RC4 cipher -- not sure how to FIX the problem.  It doesn't seem like a MS patch will solve this.

    • Windows 2012 R2 – Reg settings applied (for a Windows 2008 R2 system)  and this problem is no longer seen by the GVM scanner – BUT, THESE REGISTRY SETTINGS DO NOT APPLY TO WINDOWS 2012 R2. 

    Does this update apply to Windows 8.1, Windows Server 2012 R2, or Windows RT 8.1?  
    No. This update does not apply to Windows 8.1, Windows Server 2012 R2, or Windows RT 8.1 because these operating systems already include the functionality to restrict the use of RC4.

    https://technet.microsoft.com/en-us/library/security/2868725.aspx

    So, how to you disable RC4 on Windows 2012 R2?????  Anyone know?

    For security-specific questions like this, I recommend the dedicated security forum:
    https://social.technet.microsoft.com/Forums/en-US/home?forum=winserversecurity

    This topic (Disabling RC4) is discussed several times there.

    Also, note that Advisory 2868725 and KB 2868725 both explain that the ability to restrict/disable RC4, is different from actively/actually restricting/disabling RC4. More information here: https://support.microsoft.com/en-au/kb/245030

    First, apply the update if you have an older OS (WS2012R2 already includes the ability).
    Second, apply the relevant registry keys, to all OS versions, to actively/actually disable RC4.
    If you only apply the update (to an older OS), or, you already have WS2012R2, this does not disable RC4 - you must have both the necessary binary files *AND* also set the registry keys.

    So, to answer your question : "how to you disable RC4 on Windows 2012 R2?" - the answer is: set the relevant registry keys.


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)


    • Edited by DonPick Sunday, July 26, 2015 12:28 AM
    • Proposed as answer by Steven_Lee0510 Monday, July 27, 2015 7:25 AM
    • Marked as answer by y2kBug_sp7 Monday, July 27, 2015 12:16 PM
    Sunday, July 26, 2015 12:27 AM
  • Hi,

    Please follow the link below to restrict the RC4 ciphers:

    https://support.microsoft.com/en-us/kb/245030

    I tested it in my Windows Server 2012R2, it works for me.

    Best Regards.


    Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    • Marked as answer by y2kBug_sp7 Monday, July 27, 2015 12:16 PM
    Monday, July 27, 2015 7:44 AM
  • This is the same as what the article tells you to do... for all OS's but Windows 2012 R2 and Windows 8.1

    these Os's have this note in the TechNet article:

    Does this update apply to Windows 8.1, Windows Server 2012 R2, or Windows RT 8.1?  
    No. This update does not apply to Windows 8.1, Windows Server 2012 R2, or Windows RT 8.1 because these operating systems already include the functionality to restrict the use of RC4.

    • Marked as answer by y2kBug_sp7 Monday, July 27, 2015 12:16 PM
    • Unmarked as answer by y2kBug_sp7 Monday, July 27, 2015 12:16 PM
    Monday, July 27, 2015 12:08 PM
  • OK thanks everyone...

    so, it seems...

    1) for Windows 2012 R2  - ignore patch https://technet.microsoft.com/en-us/library/security/2868725.aspx

    Does this update apply to Windows 8.1, Windows Server 2012 R2, or Windows RT 8.1?           
    No. This update does not apply to Windows 8.1, Windows Server 2012 R2, or Windows RT 8.1 because these operating systems already include the functionality to restrict the use of RC4.

    2) apply these registry values:

    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
      "Enabled"=dword:00000000
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
      "Enabled"=dword:00000000
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
      "Enabled"=dword:00000000

    ------

    This will disable RC4 on Windows 2012 R2.

    Monday, July 27, 2015 12:19 PM
  • OK thanks everyone...

    so, it seems...

    1) for Windows 2012 R2  - ignore patch https://technet.microsoft.com/en-us/library/security/2868725.aspx

    Does this update apply to Windows 8.1, Windows Server 2012 R2, or Windows RT 8.1?           
    No. This update does not apply to Windows 8.1, Windows Server 2012 R2, or Windows RT 8.1 because these operating systems already include the functionality to restrict the use of RC4.

    2) apply these registry values:

    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
      "Enabled"=dword:00000000
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
      "Enabled"=dword:00000000
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
      "Enabled"=dword:00000000

    ------

    This will disable RC4 on Windows 2012 R2.


    Yes, that's what we've been saying:
    - the update itself does not apply to WS2012R2
    - the registry settings detailed in the KB article does apply to WS2012R2

    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Monday, July 27, 2015 9:14 PM
  • Thank you... yes, I get it now. 
    Tuesday, July 28, 2015 12:25 PM
  • I have Windows7 operating system. The computer was bought in 2010. Would this cause a problem or issue?

    Wednesday, February 6, 2019 1:56 PM
  • I have Windows7 operating system. The computer was bought in 2010. Would this cause a problem or issue?

    Windows7 should be compatible with hardware manufactured in 2010.

    Or do I misunderstand your question?


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Thursday, February 7, 2019 7:02 AM