Have disabled RC4 ciphers but report still shows I have week RC4 ciphers

I've changed the registry settings to disable RC4 ciphers according to various web sites including the following:  https://www.sslshopper.com/article-how-to-disable-ssl-2.0-in-iis-7.html

However, whenever I run this test at Qualys:   https://www.ssllabs.com/ssltest/ I'm still getting notified that I have weak RC4 ciphers.  Specifically these are listed:
TLS_RSA_WITH_RC4_128_SHA (0x5)  
TLS_RSA_WITH_RC4_128_MD5 (0x4)

How do I disable these specifically in the registry?
cindyfillerDirector of ITAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Steve BinkCommented:
Did you restart the server?  

Export your HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers and HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols branches and post them here.
btanExec ConsultantCommented:
trying using iiscrypto tool which read actual Windows SChannel setting
https://www.nartac.com/Products/IISCrypto
btanExec ConsultantCommented:
Also to completely disable in registry do make sure the below from MS
Note You must install this security update (2868725) before you make the following registry change to completely disable RC4.
https://support.microsoft.com/en-us/kb/2868725

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
◦"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
◦"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
◦"Enabled"=dword:00000000
Check Out How Miercom Evaluates Wi-Fi Security!

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom on how WatchGuard's Wi-Fi security stacks up against the competition plus a LIVE demo!

cindyfillerDirector of ITAuthor Commented:
Yes I had restarted the server.  I also tried to apply the patch listed above and it says it is not applicable to my computer.  I assume that means I have it on there, but I can't find that specific update.  

I have attached the 2 registry entries showing what I had done.
L--protocols.reg
L--ciphers.reg
Steve BinkCommented:
Your ciphers file shows the entries are malformed.  It is listing the individual ciphers as values instead of branches.  Please revisit https://www.sslshopper.com/article-how-to-disable-ssl-2.0-in-iis-7.html, under "Disable Weak Ciphers In IIS 7.0", and reproduce the registry entries shown there.
btanExec ConsultantCommented:
suggest you try the iiscrypto tool.

Even the MS reference has TLS registry and not only sslv2 and sslv3
- check out https://support.microsoft.com/en-us/kb/245030
The client and server subkeys designate each protocol. You can disable a protocol for either the client or the server. However, disabling Ciphers, Hashes, or CipherSuites affects both client and server sides. You would have to create the necessary subkeys under the Protocols key to achieve this. For example:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Client]
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Server]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Client]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Server]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.0\Client]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.0\Server]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.1]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.1\Client]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.1\Server]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.2]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.2\Client]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.2\Server]
But specifically for SCHANNEL\Ciphers\RC4 128/128 subkey, it is to disable the below which there are the two surfaced in your case.
SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA

The tool can be tried out
btanExec ConsultantCommented:
Another from forum saying working which I believe you done it too. Also do make sure your web server is directly end-to-end SSL accessible, and there's not a reverse proxy, load balancer or similar that is handling the external requests in place of it, which may give false reading
these are the reg keys i used to fix these vulnerabilities
 
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128" /v Enabled /t REG_DWORD /d 0 /f
 
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128" /v Enabled /t REG_DWORD /d 0 /f
 
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128" /v Enabled /t REG_DWORD /d 0 /f
 
No reboot required.
https://community.qualys.com/message/29416#29416

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
cindyfillerDirector of ITAuthor Commented:
Thanks to both of you!  I really blew the cipher registry entries.  I was manually typing them.  I had found specifics on creating dwords for the protocols and assumed the ciphers were the same... of course they weren't.  I have corrected those entries (imported the correct ones) and have added the other protocols
btanExec ConsultantCommented:
thanks for sharing
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SSL / HTTPS

From novice to tech pro — start learning today.