Hello everyone! This post is a follow up from the last one, disabling SSLv3 and TLS v1.0, which can be found here.
In this post we are going to cover disabling weaker ciphers (RC4 & CBC), as well as weaker key exchange algorithms (Diffie-Hellman).
They say a picture paints a thousand words. If that is true, then a video paints a thousand pictures! You can find my walk through video to this post here.
Disabling Weak Ciphers
In the image above, sslscan has identified that the Windows Server supports weaker ciphers. In this case, its both RC4 and CBC ciphers. It’s time to remove that support. Open Registry Editor and find the following key:
Under SCHANNEL, find ‘Ciphers’ and create two new keys. One named ‘RC4 12/128’, the second named ‘Triple DES 168’. As pictured below:
Right click on the RC4 key, and chose New > DWORD (32bit). Name the new DWORD ‘Enabled’ and leave the default value set to zero (as pictured above).
Repeat the same process for the Triple DES 168 key. Create a new DWORD and name it ‘Enabled’. Again, keeping the default value set to zero.
Now restart your server to implement the changes. Upon restart, your new sslscan should look like this:
Now all that is left is to remove support for the weaker exchange algorithm Diffie-Hellman (DHE).
Locate the key titled ‘KeyExchangeAlgorithms’. Right click, add new key and call it ‘Diffie-Hellman’.
Now right click on Diffie-Hellman, create new DWORD and name it ‘Enabled’. Keep the default value of zero, as pictured below.
Restart the server to implement the changes.
One more final sslscan will now reveal a nice tidy output. The server no longer supports weaker encryption methods, weaker ciphers or key exchange algorithms. Job done!