Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: How to disable RC4 Ciphers in TLS?

15 May 2014   #1
Callender

Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
 
 
How to disable RC4 Ciphers in TLS?

I'm not sure if this is the correct section for this question but anyway....

Having read this article:

Microsoft Giving .NET Users The Option to Shed RC4

Then this one:

Security Advisory 2868725: Recommendation to disable RC4

It leaves me slightly confused on how to disable RC4 on a home based Windows 7 machine.

I see the following advice:

How to Completely Disable RC4
Clients and Servers that do not wish to use RC4 ciphersuites, regardless of the other party's supported ciphers, can disable the use of RC4 cipher suites completely by setting the following registry keys. In this manner any server or client that is talking to a client or server that must use RC4, can prevent a connection from happening. Clients that deploy this setting will not be able to connect to sites that require RC4 while servers that deploy this setting will not be able to service clients that must use RC4.
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
    • "Enabled"=dword:00000000
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
    • "Enabled"=dword:00000000
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
    • "Enabled"=dword:00000000


That seems to confilct with the advice in this article:


https://support.microsoft.com/kb/245030



Notes
  • The Ciphers key should contain no values or subkeys
(Or are they saying that by default the Ciphers should be empty) and that modifying this key will provide the fix?


If anyone has made the modifications and can provide a registry key to import please post!


Is it a good enough fix to ignore all of the above and just make the following browser settings changes?

How to disable RC4 Ciphers in TLS?-about_config-cyberfox.jpg




My System SpecsSystem Spec
.
15 May 2014   #2
Callender

Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
 
 
Solved - disable weak cyphers

Solved the problem myself. Here's how:

Important: Backup the following registry key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

Save the attached file as a PowerShell script (with the .ps1 extension) and run it.

DisableWeakCiphers.txt

Results:

How to disable RC4 Ciphers in TLS?-schannel.jpg

Weak cyphers are now disabled

Strong cyphers are enabled

Protocols:

How to disable RC4 Ciphers in TLS?-protocols.jpg


My System SpecsSystem Spec
17 Oct 2014   #3
chrysalis

windows 8.1 Pro x64
 
 

Nice last post, assuming it affects IE.

I suggest you disable all rc4 tho and now (especially with poodle) also sslv3.

so here is may altered file.


Attached Files
File Type: txt DisableWeakCiphers.txt (6.6 KB, 342 views)
My System SpecsSystem Spec
.

17 Oct 2014   #4
Callender

Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
 
 
Disable RC4 and SSLv3

Quote   Quote: Originally Posted by chrysalis View Post
Nice last post, assuming it affects IE.

I suggest you disable all rc4 tho and now (especially with poodle) also sslv3.

so here is may altered file.
Well I was just looking into a script to disable SSLv3 this week and didn't know about the advice to disable RC4 so thank you very much indeed! I have made use if your script. (Disable RC4 is what the original post was about)

As far as i know it takes care of windows and in theory browsers including IE but it wouldn't hurt to open IE settings and set it to disabled there - just to be on the safe side.

Here's a few testers anyway:

SSL/ TLS Tests

Just use the two SSL/ TLS tester links.

Edit: I'd sorted out the Poodle vulnerability this week but great suggestion anyway!
My System SpecsSystem Spec
20 Oct 2014   #5
chrysalis

windows 8.1 Pro x64
 
 

I sadly found out rc4 is needed for youtube, google only support 2 ciphers on googlevideos, rc4 and a new gcm cipher which isnt in any major browsers yet, at least its not in IE and firefox, might be in chrome.

But more bad news is these registry tweaks seem to do absolutely nothing in IE11, e.g. I disabled the AES ciphers, ran ssllabs browser test and it reports AES in use, although its possible that test just assumes its available due to browser version as it does run very fast but youtube should have been broken when I disabled RC4 and was not. I may do more tests later using one of my websites. Not confirmed in outlook yet if affects ciphers in use.

https://news.ycombinator.com/item?id=7977167

Of course it is at least trivial to disable sslv3 in the IE options pages. But other microsoft applications its not so easy.
My System SpecsSystem Spec
20 Oct 2014   #6
Callender

Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
 
 
Insecure Cipher Suites

My knowledge on this is pretty sketchy - hence the original question.

This is interesting: Disabling the RC4 Cipher | Windows content from Windows IT Pro

Tested secure connection to Youtube with the following registry settings applied:

DisableWeakCiphers.txt

SSL Cipher tweak RC4 removed.txt

SSL Cipher Preferred Order.txt

Disabled RC4 in browser:

How to disable RC4 Ciphers in TLS?-rc4-disabled-cyberfox.jpg

Can still get a secure connection to Youtube:

How to disable RC4 Ciphers in TLS?-page-info-youtube.jpg

I suspect that registry settings take care of weak cyphers in windows but browsers need tweaking separately. Of course that could be entirely wrong!


My System SpecsSystem Spec
Reply

 How to disable RC4 Ciphers in TLS?




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
Remote disable - disable USB selective suspend setting
Is it possible to command line disable disable USB selective suspend setting? or even regedit it? I've read this : Powercfg Command-Line Options and this : http://www.sevenforums.com/tutorials/147369-usb-selective-suspend-turn-off.html and couldn't find a way to disable that specific...
General Discussion
Disable calculator in Windows 7 - Remove, Disable, Delete, Ditch.
Hi does anyone have an idea how to disable or remove the Windows 7 calculator. I want to disable this feature due to cheaters using the calculator whilst doing maths homework? Bloody desperate here. !!!!!!!!!!!:mad: I find it ridiculous its not that easy to do . - Ijust want to Ditch the...
General Discussion
Gadgets, to disable or not to disable?
Hey folks, I have just noticed that Microsoft recommends disabling gadgets. I only have the default gadgets which came with W7 installed and I have never installed any others. Admittedly, the only one I use is the currency one. Is it a security risk to have them enabled?
Gadgets
The button for "Disable" a driver in Device Manager is disable
Hello all, I have a Windows 7 enterprise computer in a Windows domine, the problem is that I'm trying to disable the touchpad mouse of my computer but when I go to Device manager and see the properties of the Mouse Driver the button "Disable" is disable, I think that is something with domain...
Hardware & Devices
Disable alt+F4
I would like to use alt together with the "F" keys as shortcuts in a game but alt+F4 just terminates the game. Is there a way to remove that function from the key combination? I know this must have been asked before but search rejects both terms and I get no results.
General Discussion
How do I disable F1 key?
I have Windows Virtual PC running Windows XP in windowed (not full-screen) mode. One of the custom applications that I run in the Virtual PC makes heavy use of F1 key, however every time I press it, in addition to that program's functionality "Windows Virtual PC" help comes up as well! Is there...
Virtualization


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 03:17.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App