How to disable RC4 Ciphers in TLS?


  1. Posts : 4,776
    Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
       #1

    How to disable RC4 Ciphers in TLS?


    I'm not sure if this is the correct section for this question but anyway....

    Having read this article:

    Microsoft Giving .NET Users The Option to Shed RC4

    Then this one:

    Security Advisory 2868725: Recommendation to disable RC4

    It leaves me slightly confused on how to disable RC4 on a home based Windows 7 machine.

    I see the following advice:

    How to Completely Disable RC4
    Clients and Servers that do not wish to use RC4 ciphersuites, regardless of the other party's supported ciphers, can disable the use of RC4 cipher suites completely by setting the following registry keys. In this manner any server or client that is talking to a client or server that must use RC4, can prevent a connection from happening. Clients that deploy this setting will not be able to connect to sites that require RC4 while servers that deploy this setting will not be able to service clients that must use RC4.

    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
      • "Enabled"=dword:00000000



    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
      • "Enabled"=dword:00000000



    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
      • "Enabled"=dword:00000000




    That seems to confilct with the advice in this article:


    https://support.microsoft.com/kb/245030



    Notes

    • The Ciphers key should contain no values or subkeys

    (Or are they saying that by default the Ciphers should be empty) and that modifying this key will provide the fix?


    If anyone has made the modifications and can provide a registry key to import please post!


    Is it a good enough fix to ignore all of the above and just make the following browser settings changes?

    How to disable RC4 Ciphers in TLS?-about_config-cyberfox.jpg
    Last edited by Callender; 15 May 2014 at 14:04. Reason: Add image
      My Computer


  2. Posts : 4,776
    Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
    Thread Starter
       #2

    Solved - disable weak cyphers


    Solved the problem myself. Here's how:

    Important: Backup the following registry key

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

    Save the attached file as a PowerShell script (with the .ps1 extension) and run it.

    DisableWeakCiphers.txt

    Results:

    How to disable RC4 Ciphers in TLS?-schannel.jpg

    Weak cyphers are now disabled

    Strong cyphers are enabled

    Protocols:

    How to disable RC4 Ciphers in TLS?-protocols.jpg
    Last edited by Callender; 15 May 2014 at 19:58. Reason: Add image
      My Computer


  3. Posts : 529
    windows 8.1 Pro x64
       #3

    Nice last post, assuming it affects IE.

    I suggest you disable all rc4 tho and now (especially with poodle) also sslv3.

    so here is may altered file.
    How to disable RC4 Ciphers in TLS? Attached Files
      My Computer


  4. Posts : 4,776
    Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
    Thread Starter
       #4

    Disable RC4 and SSLv3


    chrysalis said:
    Nice last post, assuming it affects IE.

    I suggest you disable all rc4 tho and now (especially with poodle) also sslv3.

    so here is may altered file.
    Well I was just looking into a script to disable SSLv3 this week and didn't know about the advice to disable RC4 so thank you very much indeed! I have made use if your script. (Disable RC4 is what the original post was about)

    As far as i know it takes care of windows and in theory browsers including IE but it wouldn't hurt to open IE settings and set it to disabled there - just to be on the safe side.

    Here's a few testers anyway:

    SSL/ TLS Tests

    Just use the two SSL/ TLS tester links.

    Edit: I'd sorted out the Poodle vulnerability this week but great suggestion anyway!
    Last edited by Callender; 17 Oct 2014 at 16:58. Reason: add info
      My Computer


  5. Posts : 529
    windows 8.1 Pro x64
       #5

    I sadly found out rc4 is needed for youtube, google only support 2 ciphers on googlevideos, rc4 and a new gcm cipher which isnt in any major browsers yet, at least its not in IE and firefox, might be in chrome.

    But more bad news is these registry tweaks seem to do absolutely nothing in IE11, e.g. I disabled the AES ciphers, ran ssllabs browser test and it reports AES in use, although its possible that test just assumes its available due to browser version as it does run very fast but youtube should have been broken when I disabled RC4 and was not. I may do more tests later using one of my websites. Not confirmed in outlook yet if affects ciphers in use.

    https://news.ycombinator.com/item?id=7977167

    Of course it is at least trivial to disable sslv3 in the IE options pages. But other microsoft applications its not so easy.
      My Computer


  6. Posts : 4,776
    Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
    Thread Starter
       #6

    Insecure Cipher Suites


    My knowledge on this is pretty sketchy - hence the original question.

    This is interesting: Disabling the RC4 Cipher | Windows content from Windows IT Pro

    Tested secure connection to Youtube with the following registry settings applied:

    DisableWeakCiphers.txt

    SSL Cipher tweak RC4 removed.txt

    SSL Cipher Preferred Order.txt

    Disabled RC4 in browser:

    How to disable RC4 Ciphers in TLS?-rc4-disabled-cyberfox.jpg

    Can still get a secure connection to Youtube:

    How to disable RC4 Ciphers in TLS?-page-info-youtube.jpg

    I suspect that registry settings take care of weak cyphers in windows but browsers need tweaking separately. Of course that could be entirely wrong!
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 05:58.
Find Us