Microsoft
      Back to home
      1. Knowledge Base
      2. Common Issues and Fixes
      3. Microsoft

      Disabling Weak Cipher Suites

      SSL Medium Strength Cipher Suites Supported (SWEET32)

      Based on this article from Microsoft, below are some scripts to disable old Cipher Suites within Windows that are often found to generate risks during vulnerability scans, especially the SWEET32 vulnerability. (See Sweet32 Information)

      2024 Update: Microsoft Windows TLS Changes  &  Microsoft Transport Layer Security (TLS) 

      The remote host supports the use of SSL ciphers that offer medium-strength encryption. Generally, we regard medium strength as any encryption that uses key lengths at least 64 bits and less than 112 bits, or else that uses the 3DES encryption suite.

      It is considerably easier to circumvent medium-strength encryption if the attacker is on the same physical network.

      You can utilise IISCrypto by Nartac as a quick solution for Microsoft Windows: Download Here however, this is used at your own risk, as is any information provided here.

      Disable DES/3DES

      Registry Key Commands

      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56" /f /v Enabled /t Reg_DWORD /d 0
      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168" /f /v Enabled /t Reg_DWORD /d 0

      PowerShell Script

      cls
      $reg = Get-Item HKLM:
      $key = 'SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers'
      $RegistryKey = "Enabled"
      $KeyValue = "0"
      #KEY1
      $subkey = ("Triple DES 168")
      $RegistryPath = 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168'
      $key = $reg.OpenSubKey($key,$true)
      $key.CreateSubKey($subkey)
      if ((Test-Path -Path $RegistryPath)) 
      {
      (New-ItemProperty -Path $RegistryPath -Name $RegistryKey -Value $KeyValue -PropertyType DWORD -Force)
      }
      #KEY2
      $reg = Get-Item HKLM:
      $key = 'SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers'
      $subkey = ("DES 56/56")
      $RegistryPath = 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56'
      $key = $reg.OpenSubKey($key,$true)
      $key.CreateSubKey($subkey)
      if ((Test-Path -Path $RegistryPath)) 
      {
      (New-ItemProperty -Path $RegistryPath -Name $RegistryKey -Value $KeyValue -PropertyType DWORD -Force)
      }

      Disable RC4

      Registry Commands

      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128" /f /v Enabled /t Reg_DWORD /d 0
      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128" /f /v Enabled /t Reg_DWORD /d 0
      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128" /f /v Enabled /t Reg_DWORD /d 0
      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128" /f /v Enabled /t Reg_DWORD /d 0

      Powershell Script

      cls
      $reg = Get-Item HKLM:
      $key = 'SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers'
      $RegistryKey = "Enabled"
      $KeyValue = "0"
      #KEY1
      $subkey = ("RC4 40/128")
      $RegistryPath = 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128'
      $key = $reg.OpenSubKey($key,$true)
      $key.CreateSubKey($subkey)
      if ((Test-Path -Path $RegistryPath)) 
      {
      (New-ItemProperty -Path $RegistryPath -Name $RegistryKey -Value $KeyValue -PropertyType DWORD -Force)
      }
      #KEY2
      $reg = Get-Item HKLM:
      $key = 'SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers'
      $subkey = ("RC4 56/128")
      $RegistryPath = 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128'
      $key = $reg.OpenSubKey($key,$true)
      $key.CreateSubKey($subkey)
      if ((Test-Path -Path $RegistryPath)) 
      {
      (New-ItemProperty -Path $RegistryPath -Name $RegistryKey -Value $KeyValue -PropertyType DWORD -Force)
      }
      #KEY3
      $reg = Get-Item HKLM:
      $key = 'SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers'
      $subkey = ("RC4 64/128")
      $RegistryPath = 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128'
      $key = $reg.OpenSubKey($key,$true)
      $key.CreateSubKey($subkey)
      if ((Test-Path -Path $RegistryPath)) 
      {
      (New-ItemProperty -Path $RegistryPath -Name $RegistryKey -Value $KeyValue -PropertyType DWORD -Force)
      }
      #KEY4
      $reg = Get-Item HKLM:
      $key = 'SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers'
      $subkey = ("RC4 128/128")
      $RegistryPath = 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128'
      $key = $reg.OpenSubKey($key,$true)
      $key.CreateSubKey($subkey)
      if ((Test-Path -Path $RegistryPath)) 
      {
      (New-ItemProperty -Path $RegistryPath -Name $RegistryKey -Value $KeyValue -PropertyType DWORD -Force)
      }

      See also Disabling TLS 1.0

      You should test any changes before rolling these out across the enterprise. Legacy applications (which of course you are no longer using) may be affected by these changes.