System HardeningWindows

Disabling Weaker Ciphers (RC4 & CBC) and Diffie-Hellman

Hello everyone! This post is a follow up from the last one, disabling SSLv3 and TLS v1.0, which can be found here.

In this post we are going to cover disabling weaker ciphers (RC4 & CBC), as well as weaker key exchange algorithms (Diffie-Hellman).

They say a picture paints a thousand words. If that is true, then a video paints a thousand pictures! You can find my walk through video to this post here.

Disabling Weak Ciphers

Support for RC4 and CBC ciphers identified

In the image above, sslscan has identified that the Windows Server supports weaker ciphers. In this case, its both RC4 and CBC ciphers. It’s time to remove that support. Open Registry Editor and find the following key:


Under SCHANNEL, find ‘Ciphers’ and create two new keys. One named ‘RC4 12/128’, the second named ‘Triple DES 168’. As pictured below:

RC4 & Triple DES keys

Right click on the RC4 key, and chose New > DWORD (32bit). Name the new DWORD ‘Enabled’ and leave the default value set to zero (as pictured above).

Repeat the same process for the Triple DES 168 key. Create a new DWORD and name it ‘Enabled’. Again, keeping the default value set to zero.

Now restart your server to implement the changes. Upon restart, your new sslscan should look like this:

RC4 and CBC ciphers now removed

Removing Diffie-Hellman

Now all that is left is to remove support for the weaker exchange algorithm Diffie-Hellman (DHE).

Locate the key titled ‘KeyExchangeAlgorithms’. Right click, add new key and call it ‘Diffie-Hellman’.

Now right click on Diffie-Hellman, create new DWORD and name it ‘Enabled’. Keep the default value of zero, as pictured below.

Adding Diffie-Hellman key to the KeyExchangeAlgorithms

Restart the server to implement the changes.

One more final sslscan will now reveal a nice tidy output. The server no longer supports weaker encryption methods, weaker ciphers or key exchange algorithms. Job done!

Nice tidy output 🙂