AboutPricingCommunityTeamsStart Free TrialLog in
Avatar of George R. Kasica
George R. Kasica
Flag for United States of America asked on

Setting Windows Ciphers and Cipher Suites in Windows for a large number (500+ Servers)

We have a large number of servers here (5-700) 2008 and 20012R2 and need to set them to PCI standards. We Can obviously use the IISCrypto tool to  do the setting on a server by server basis but to do this on the large number of remote VMs is painful at best and horribly time consuming. We were able to use registry settings to turn off SSL v3 etc. here but can't see a way to do the same thing for the Ciphers and Cipher SUites. Can anyone suggest a way to do this quickly with a reg file or such? We use a tool called KACE that could deploy or run a batch file etc. Screen capture is attached showing what we need off.
IISCrypto-DisabledCipherSuites.JPG
* ciphersEncryptionOS SecurityWindows Server 2008Windows OS
Avatar of undefined
Last Comment
Patrick Bogers
8/22/2022 - Mon
SOLUTION
Patrick Bogers
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
aravind anche
this link have some reg keys to disable RC4
http://windowsitpro.com/windows/disabling-rc4-cipher

I have a reg key to disable RC4 cipher let me check and will post it
aravind anche
1. Open notepad.
2. Paste the below lines:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
"Enabled"=dword:00000000

3. Click 'Save As' and select All files below and enter name 'Disable_RC4_Ciphers.reg'

please check before deploying
image.png
George R. Kasica
ASKER
THe thought we had was could we USe IISCrypto and Set up one system as needed then export the key as you suggested Patrick. Not sure if that will show the Ciphers or not. We'll try it here and see what it looks like. We WERE able to do that for the SSL items. Might be a day or 3 for results please be patient.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
Patrick Bogers
Hi George,

Yes it Will do exactly that (did the same on my platform last year)
Make the change and test that one machine with qualys ssl labs.

Take your time, it is mission critical. Dont forget to backup your registry.....

Cheers
SOLUTION
btan
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
George R. Kasica
ASKER
Thank you will take a look at this tomorrow.
ASKER CERTIFIED SOLUTION
arnold
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
George R. Kasica
ASKER
yes they are. where/how would they be set in GPO? That's something we've never looked at. it sure would make it easy though.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
arnold
Computer GPO/P security settings/registry is one way to push the registry.
Check advanced templates dealing with security.
https://technet.microsoft.com/en-us/library/cc753092(v=ws.11).aspx

test first on a subset. note usually a GPO takes two loads to apply, in acomputer gpo that might require two reboots ...
btan
You can look at administrative template for Group Policy
https://github.com/Crosse/SchannelGroupPolicy/blob/master/README.md
George R. Kasica
ASKER
Looking at this as well
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
George R. Kasica
ASKER
Ended up using regdiff take before and after snapshots on a clean server with IIScrypto to get the chages as a .reg file we could apply. Patrick that is appropriate.
Patrick Bogers
Thank you for feedback.
If my proposal is appropiate why did you offer all points to btan?
Patrick Bogers
Nice fix! Until Next time.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Plans and Pricing
Resources
Product
Podcasts
Careers
Contact Us
Teams
Certified Expert Program
Credly Partnership
Udemy Partnership
Privacy Policy
Terms of Use

© 1996-2023 Experts Exchange, LLC. All rights reserved. Covered by US Patent