Registry Settings

Disabling and Enabling protocols for compliance

What does this mean :

To allow this cipher algorithm, change the DWORD value data of the Enabled value to 0xffffffff. Or, change the DWORD value data to 0x0

what is 0xffffffff  - what does this translate to in the registry ?
what is 0x0 ?

how do these relate to simple old fashioned 0 or 1 for off and on ?

Thanks
nico-Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hypercat (Deb)Commented:
0xffffffff is hexidecimal notation.  It translates in decimal notation to 4294967295, and basically means "every possible value is acceptable." 0x0 is also hexidecimal notation, for a value of "0" in decimal format.  It appears that what your instructions are telling you is that either one of these values will work to allow the algorithm you're trying to use.
0
nico-Author Commented:
thanks for the reply

does 0x stand for "the value that values is in hex" and also does it mean the hex must be used ? is there a reason for choosing hex or decimal when choosing a setting?

Do you know why ffffffff is used and not something as simple as 0 or 1.  

Basically there are a variety of protocols that I need to enable and disable and that the statement above was from a TechNet article, which doesn't make a great deal of sense ..

So .. to allow this cipher algorithm, change the dword value of enabled to "any value" in hex OR change the DWORD value to 0  -  what is "the DWORD value" ?

"To allow this cipher algorithm, change the DWORD value data of the Enabled value to 0xffffffff. Or, change the DWORD value data to 0x0"
0
nico-Author Commented:
oops .. opening line should read - the value that follows is in hex
0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

Hypercat (Deb)Commented:
Sounds like that Technet article is not very well written!  Is it one of those "quick publish" articles?

0x is the common prefix for a numeric constant in hexadecimal notation.  It's used to indicate to the parser that the notation following is a constant and is in hexadecimal notation. All registry values are essentially hex values, but the registry editor translates them into decimal format and also allows you to enter them in decimal format if you know the decimal value.

The reason for using the "fff...." value is usually that the parameters of the value do not lend themselves to a simple off or on switch.  As far as I know, the purpose is to allow a range of values (whatever the valid range is for that parameter) without having to specify each value individually.  There may be other more technical explanations, I'm not an expert on the whys and wherefores of the Windows registry.

DWORD is a type of registry value (also sometimes listed as REG_DWORD).  Here's an article explaining the various types of registry values:

http://support.microsoft.com/kb/101230

What you are doing is setting that DWORD value to either 0xffffffff or 0x0.

It sounds like you're very unfamiliar with editing the registry, so BE SURE to back everything up before you do ANYTHING.  Registry editing is not for the newbie or the faint of heart!!!
0
nico-Author Commented:
Thanks for the reply.
No worries with the registry until now!  I think it could be the ambiguous way it's written

the thing that is really confusing me is this bit

change the DWORD value data of the Enabled value to 0xffffffff.
Or, change the DWORD value data to 0x0"

the first line I understand now. but does "the DWORD value data" refer to the same Enabled value ?  ..

I would have written like this :-

To allow this cipher algorithm, change the DWORD value data of the Enabled value to 0xffffffff or 0x0.

It seems to be referring to the Enabled value and a different value ?

Thanks
0
nico-Author Commented:
0
nico-Author Commented:
it really comes down to this one now :

To enable, set the DWORD value data of the Enabled value to 0xffffffff. Or, change the DWORD data to 0x0

"the DWORD value data of the Enabled value" .. I can trace that one

it's the "or the DWORD data to 0x0" .. where is that actual setting ?
0
CompProbSolvCommented:
I have looked at the actual article, and think that I have it sorted out.  If you add a DWORD value whose name is "enabled" and you set it to 0x0 (which is often interpreted as FALSE), it will remain disabled.  If you set "enabled" to 0xffffffff (or likely any value other than 0x0, though I'd only use the specified one) then it will be enabled.

The other reference is likely to the "DisabledByDefault" key.  It is normally set to 0x1 (TRUE), so the protocol is disabled unless there is something to state otherwise, such as the "enabled" key set to 0xffffffff.  I'm presuming that "or the DWORD data to 0x0" is referring to "DisabledByDefault".  That is, if you set "DisabledByDefault" to 0x0 then the protocol will be enabled by default and you won't need the "enabled" key.

If I am correct, it would have been MUCH clearer if the author changed "or the DWORD data to 0x0" to "or the DisabledByDefault DWORD data to 0x0".
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
nico-Author Commented:
fantastic answer.

testing required, but that makes a great deal of sense.

The one more related question i do have is with 2008 protocol/cipher settings and the registry

there is only one protocol listed in 2008 .. SSL 2.0 Client, which has a disabled by default setting of 000000001.  I guess I'm wondering why isn't this ffffffff instead of 00000001.  Also, the article states creating specific Enabled values to then set to 00000000.  Why is that method used rather than leaving the settings as they are - disabled by default.  It is though they are saying it's safer to explicity disable (through the enable key) rather than leave the cipher/protocol naturally in a disabled state ?
0
nico-Author Commented:
http://forums.iis.net/t/1151822.aspx

Looks like the original setting of SSL 2.0 client -> disabled by default = 1 was causing the issues.  SSL 2,0 was still running rather than TLS
0
nico-Author Commented:
Another linked question was that does NOT having the registry key in windows mean that the setting is disabled ?  

i.e [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128] does not appear in Windows 2008, yet the article above says this is enabled by default .

I wonder if this is why a reg key has to be created in order to then disable this cipher ?
0
nico-Author Commented:
Just having yet another re-read of the phrase

"To allow this cipher algorithm, change the DWORD value data of the Enabled value to 0xffffffff. Otherwise, change the DWORD value data to 0x0"

I am now wondering if this means regarding the enabled value

* to allow set enabled to ffffffff
* to disallow set enabled to 00000000

as in, the sentence is all about the  enabled value and not about a mixture of enabled and if it appears - disabled by default ?

testing later should help clarify

--

In the Triple DES 168 entry, the sentence reads

"To allow this cipher algorithm, change the DWORD value data of the Enabled value to 0xffffffff. Otherwise, change the DWORD data to 0x0"

Not sure, why the word value was removed?  I'm sure this probably has nothing to do with any settings.  
--
0
Hypercat (Deb)Commented:
Hi, guys - just coming back in after not reviewing this post since yesterday afternoon.  I read the article also, and I'm interpreting it a different way.  I think what is meant is that you need to add the protocol key, and the Client and Server keys for any protocol that you want to manage.  Then you add the value you want to use.  The DisabledbyDefault value has 2 possible settings:  0x1 DISABLES the protocol (the default setting that you're seeing in the registry now), and 0x0 ENABLES the protocol (i.e., turns off the DisabledbyDefault switch). Or, the other option is to add an Enabled value and set it to 0xffffffff, and either remove the DisabledbyDefault value or set it to 0x0.  That is, if you're adding a completely new key, then you don't use the DisabledbyDefault value at all, you just add the Enabled value and set it to 0xffffffff.

Take a look at this post:

http://social.technet.microsoft.com/Forums/windowsserver/en-US/c38692a1-1ed4-4646-a441-d47a025b6828/disable-ssl-20-on-windows-2008-r2?forum=winserversecurity
0
nico-Author Commented:
Superb help.  thank you
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Legacy OS

From novice to tech pro — start learning today.