restricting low strength Ciphers not working on Server 2008 R2

Posted on 2012-08-27
Last Modified: 2012-09-02
To pass a Nessus scan (Server 2008 R2) we made the appropriate registry changes to disable SSL v2 and low strength ciphers.  Did this based on the MS support document that many people reference, and by importing standard security enhancing registry keys available on many security related web sites (i.e., we did not make the registry corrections by hand)

However, a few low strength ciphers remain on the Nessus scan and are confirmed by THCSSLCheck in TLS v1 and SSL v3  (SSL v2 is disabled)

EXP-DES-CBC-SHA -  40 Bits
EXP-RC4-MD5 -  40 bits


Each of the following registry locations has a binary DWORD of Enabled = 0

HKLM...\SCHANNEL\Ciphers\DES 56\56
        RC2 40/128
         RC2 56/128
        DES 56/56
         RC4 40/128
         RC4 56/128

These entries should have disabled these low strength Ciphers.

What am I missing?  Are there other specific keys or entries required?  Does there need to be an entry for SCHANNEL\Hashes  or something else
Question by:dakota5

    Author Comment

    I just learned that Dell OMSA (systems management) creates a webserver on servers it is loaded on, and the default is not high Cipher strength.  That is the source of one of my low cipher strength Nessus warnings.

    But I don't understand-- Don't the registry settings I listed above force ALL applications to use high strength Ciphers?

    How is the Dell OMSA getting around (ignoring) the registry settings?
    LVL 60

    Expert Comment

    From forum it stated for example for ssl2.0 to also include DWORD key called "DisabledByDefault"  as additional one to disable too. Noted the MS link you shared also mentioned that

    execute all of the 3 lines to be on the secure side:

    reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" /ve /f

    reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server"  /t REG_DWORD  /v Enabled  /d 0 /f

    reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server"  /t REG_DWORD  /v DisabledByDefault  /d 1 /f
    LVL 60

    Assisted Solution


    Assisted Solution

    The defensia tool is excellent.

    But I've checked-- small internal web applications like Dell OpenManage Server Administrator, CyberPower PowerPanel (for monitoring battery backups), and others frequently use Apache Tomcat Java servers.

    These don't use microsoft SCHANNEL registry settings for limiting SSL to high encryption.  Looking at the Apache Tomcat web site---Looks like one needs to make changes using command line entries.

    Correct me if I'm wrong
    LVL 60

    Accepted Solution

    Agree no registry or of this sort for apache web servers. Mostly to do with its http.conf  and its mod_ssl module.

    Author Closing Comment

    I've included one of my own answers because it summarizes the input of the contributing expert.

    Featured Post

    What Is Threat Intelligence?

    Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

    Join & Write a Comment

    Suggested Solutions

    Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
    This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
    It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
    Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now