Setting Windows Ciphers and Cipher Suites in Windows for a large number (500+ Servers)

George R. Kasica
George R. Kasica used Ask the Experts™
on
We have a large number of servers here (5-700) 2008 and 20012R2 and need to set them to PCI standards. We Can obviously use the IISCrypto tool to  do the setting on a server by server basis but to do this on the large number of remote VMs is painful at best and horribly time consuming. We were able to use registry settings to turn off SSL v3 etc. here but can't see a way to do the same thing for the Ciphers and Cipher SUites. Can anyone suggest a way to do this quickly with a reg file or such? We use a tool called KACE that could deploy or run a batch file etc. Screen capture is attached showing what we need off.
IISCrypto-DisabledCipherSuites.JPG
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Patrick BogersDatacenter platform engineer Lindows
Commented:
Hi

Run IISCrypto on one machine and from registry export this key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

Distribute that registry patch to your farm, reboot all machines :( and your good to go
PS not sure if this list is 100% PCI compliant but hey, who am i? :)

Cheers

Commented:
this link have some reg keys to disable RC4
http://windowsitpro.com/windows/disabling-rc4-cipher

I have a reg key to disable RC4 cipher let me check and will post it

Commented:
1. Open notepad.
2. Paste the below lines:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
"Enabled"=dword:00000000

3. Click 'Save As' and select All files below and enter name 'Disable_RC4_Ciphers.reg'

please check before deploying
image.png
C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

George R. KasicaEngineering Operations Analyst III

Author

Commented:
THe thought we had was could we USe IISCrypto and Set up one system as needed then export the key as you suggested Patrick. Not sure if that will show the Ciphers or not. We'll try it here and see what it looks like. We WERE able to do that for the SSL items. Might be a day or 3 for results please be patient.
Patrick BogersDatacenter platform engineer Lindows

Commented:
Hi George,

Yes it Will do exactly that (did the same on my platform last year)
Make the change and test that one machine with qualys ssl labs.

Take your time, it is mission critical. Dont forget to backup your registry.....

Cheers
btanExec Consultant
Distinguished Expert 2018
Commented:
Should be able to get the Registry setting in below. PCI - Disables everything except SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2, RC4 128, Triple DES 168, AES 128, AES 256, MD5, SHA1, DH and PKCS.
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server
 
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 128/128
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 256/256
 
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA
 
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS

Each registry key has an "Enabled" value that is set.
https://www.nartac.com/Blog/post/2013/04/19/IIS-Crypto-Explained.aspx
George R. KasicaEngineering Operations Analyst III

Author

Commented:
Thank you will take a look at this tomorrow.
Distinguished Expert 2017
Commented:
are the Vms centrally controlled/managed via GPO AD?
those settings can be pushed GPO/GPP......
George R. KasicaEngineering Operations Analyst III

Author

Commented:
yes they are. where/how would they be set in GPO? That's something we've never looked at. it sure would make it easy though.
Distinguished Expert 2017

Commented:
Computer GPO/P security settings/registry is one way to push the registry.
Check advanced templates dealing with security.
https://technet.microsoft.com/en-us/library/cc753092(v=ws.11).aspx

test first on a subset. note usually a GPO takes two loads to apply, in acomputer gpo that might require two reboots ...
btanExec Consultant
Distinguished Expert 2018

Commented:
You can look at administrative template for Group Policy
https://github.com/Crosse/SchannelGroupPolicy/blob/master/README.md
George R. KasicaEngineering Operations Analyst III

Author

Commented:
Looking at this as well
George R. KasicaEngineering Operations Analyst III

Author

Commented:
Ended up using regdiff take before and after snapshots on a clean server with IIScrypto to get the chages as a .reg file we could apply. Patrick that is appropriate.
Patrick BogersDatacenter platform engineer Lindows

Commented:
Thank you for feedback.
If my proposal is appropiate why did you offer all points to btan?
Patrick BogersDatacenter platform engineer Lindows

Commented:
Nice fix! Until Next time.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial