Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.
Setting Windows Ciphers and Cipher Suites in Windows for a large number (500+ Servers)
We have a large number of servers here (5-700) 2008 and 20012R2 and need to set them to PCI standards. We Can obviously use the IISCrypto tool to do the setting on a server by server basis but to do this on the large number of remote VMs is painful at best and horribly time consuming. We were able to use registry settings to turn off SSL v3 etc. here but can't see a way to do the same thing for the Ciphers and Cipher SUites. Can anyone suggest a way to do this quickly with a reg file or such? We use a tool called KACE that could deploy or run a batch file etc. Screen capture is attached showing what we need off.
IISCrypto-DisabledCipherSuites.JPG
IISCrypto-DisabledCipherSuites.JPG
Who is Participating?
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with Premium.
Start your 7-day free trial.
I wear a lot of hats...
"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.
this link have some reg keys to disable RC4
http://windowsitpro.com/windows/disabling-rc4-cipher
I have a reg key to disable RC4 cipher let me check and will post it
http://windowsitpro.com/windows/disabling-rc4-cipher
I have a reg key to disable RC4 cipher let me check and will post it
1. Open notepad.
2. Paste the below lines:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM
"Enabled"=dword:00000000
3. Click 'Save As' and select All files below and enter name 'Disable_RC4_Ciphers.reg'
please check before deploying
image.png
2. Paste the below lines:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM
"Enabled"=dword:00000000
3. Click 'Save As' and select All files below and enter name 'Disable_RC4_Ciphers.reg'
please check before deploying
image.png
THe thought we had was could we USe IISCrypto and Set up one system as needed then export the key as you suggested Patrick. Not sure if that will show the Ciphers or not. We'll try it here and see what it looks like. We WERE able to do that for the SSL items. Might be a day or 3 for results please be patient.
Hi George,
Yes it Will do exactly that (did the same on my platform last year)
Make the change and test that one machine with qualys ssl labs.
Take your time, it is mission critical. Dont forget to backup your registry.....
Cheers
Yes it Will do exactly that (did the same on my platform last year)
Make the change and test that one machine with qualys ssl labs.
Take your time, it is mission critical. Dont forget to backup your registry.....
Cheers
Should be able to get the Registry setting in below. PCI - Disables everything except SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2, RC4 128, Triple DES 168, AES 128, AES 256, MD5, SHA1, DH and PKCS.
HKLM\SYSTEM\CurrentControlhttps://www.nartac.com/Blog/post/2013/04/19/IIS-Crypto-Explained.aspxSet\Contro l\Security Providers\ SCHANNEL\P rotocols\M ulti-Proto col Unified Hello\Server
HKLM\SYSTEM\CurrentControlSet\Contro l\Security Providers\ SCHANNEL\P rotocols\P CT 1.0\Server
HKLM\SYSTEM\CurrentControlSet\Contro l\Security Providers\ SCHANNEL\P rotocols\S SL 2.0\Server
HKLM\SYSTEM\CurrentControlSet\Contro l\Security Providers\ SCHANNEL\P rotocols\S SL 3.0\Server
HKLM\SYSTEM\CurrentControlSet\Contro l\Security Providers\ SCHANNEL\P rotocols\T LS 1.0\Server
HKLM\SYSTEM\CurrentControlSet\Contro l\Security Providers\ SCHANNEL\P rotocols\T LS 1.1\Server
HKLM\SYSTEM\CurrentControlSet\Contro l\Security Providers\ SCHANNEL\P rotocols\T LS 1.2\Server
HKLM\SYSTEM\CurrentControlSet\Contro l\Security Providers\ SCHANNEL\C iphers\NUL L
HKLM\SYSTEM\CurrentControlSet\Contro l\Security Providers\ SCHANNEL\C iphers\DES 56/56
HKLM\SYSTEM\CurrentControlSet\Contro l\Security Providers\ SCHANNEL\C iphers\RC2 40/128
HKLM\SYSTEM\CurrentControlSet\Contro l\Security Providers\ SCHANNEL\C iphers\RC2 56/128
HKLM\SYSTEM\CurrentControlSet\Contro l\Security Providers\ SCHANNEL\C iphers\RC2 128/128
HKLM\SYSTEM\CurrentControlSet\Contro l\Security Providers\ SCHANNEL\C iphers\RC4 40/128
HKLM\SYSTEM\CurrentControlSet\Contro l\Security Providers\ SCHANNEL\C iphers\RC4 56/128
HKLM\SYSTEM\CurrentControlSet\Contro l\Security Providers\ SCHANNEL\C iphers\RC4 64/128
HKLM\SYSTEM\CurrentControlSet\Contro l\Security Providers\ SCHANNEL\C iphers\RC4 128/128
HKLM\SYSTEM\CurrentControlSet\Contro l\Security Providers\ SCHANNEL\C iphers\Tri ple DES 168/168
HKLM\SYSTEM\CurrentControlSet\Contro l\Security Providers\ SCHANNEL\C iphers\AES 128/128
HKLM\SYSTEM\CurrentControlSet\Contro l\Security Providers\ SCHANNEL\C iphers\AES 256/256
HKLM\SYSTEM\CurrentControlSet\Contro l\Security Providers\ SCHANNEL\H ashes\MD5
HKLM\SYSTEM\CurrentControlSet\Contro l\Security Providers\ SCHANNEL\H ashes\SHA
HKLM\SYSTEM\CurrentControlSet\Contro l\Security Providers\ SCHANNEL\K eyExchange Algorithms \Diffie-He llman
HKLM\SYSTEM\CurrentControlSet\Contro l\Security Providers\ SCHANNEL\K eyExchange Algorithms \PKCS
Each registry key has an "Enabled" value that is set.
Experts Exchange Solution brought to you by
Your issues matter to us.
Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.
Start your 7-day free trial
yes they are. where/how would they be set in GPO? That's something we've never looked at. it sure would make it easy though.
Computer GPO/P security settings/registry is one way to push the registry.
Check advanced templates dealing with security.
https://technet.microsoft.com/en-us/library/cc753092(v=ws.11).aspx
test first on a subset. note usually a GPO takes two loads to apply, in acomputer gpo that might require two reboots ...
Check advanced templates dealing with security.
https://technet.microsoft.com/en-us/library/cc753092(v=ws.11).aspx
test first on a subset. note usually a GPO takes two loads to apply, in acomputer gpo that might require two reboots ...
You can look at administrative template for Group Policy
https://github.com/Crosse/SchannelGroupPolicy/blob/master/README.md
https://github.com/Crosse/SchannelGroupPolicy/blob/master/README.md
Ended up using regdiff take before and after snapshots on a clean server with IIScrypto to get the chages as a .reg file we could apply. Patrick that is appropriate.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
ciphers
From novice to tech pro — start learning today.
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with Premium.
Start your 7-day free trial.
Run IISCrypto on one machine and from registry export this key
HKEY_LOCAL_MACHINE\SYSTEM\
Distribute that registry patch to your farm, reboot all machines :( and your good to go
PS not sure if this list is 100% PCI compliant but hey, who am i? :)
Cheers