Avatar of mike99c
 asked on

How do I disable outdated and vulnerable ciphers on windows server without affecting RDP and Plesk access?

I have a Windows Server 2016 hosted on AWS EC2 using Plesk Onyx as a hosting control panel. It is a shared server and hosts multiple websites.

We have a requirement for one of our shared hosting clients to make their website and therefore our server PCI compliant in order to host a credit card payment page. One of the requirements is to disable the following outdated or vulnerable ciphers:

TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)
It is also a requirement to disable TLS 1.1.

However, I have the following concerns if the above changes are applied:

1. Disabling 3DES will create an issue accessing my server via remote desktop (RDP)
2. Disabling TLS 1.1 will break Plesk (latest version) Admin interface
3. Disabling the ciphers and TLS 1.1 will cause issues for visitors using Windows XP or outdated browsers.

I'm not too concerned about the last issue but am very concerned about not being able to access RDP and Plesk. Indeed applying these changes will likely lock me out of my server completely which can only be resolved through direct physical server access.

Is anyone aware of a workaround to resolve these issues? If need be we will consider a dedicated server just to satisfy our PCI compliant websites.
Windows Server 2016Plesk* ciphersAWS* pci compliance

Avatar of undefined
Last Comment
Seth Simmons

8/22/2022 - Mon
Olivier Marchetta

I am trying to find which PCI compliance is requiring to disable TLS 1.1.
I think that it was just 1.0.
TLS 1.2 is sometimes not very well supported by servers and clients.
David Favor

View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.

For RDP, the concern is that TLS1.0 still needed. You can check this past discussion. Ultimately it is a risk acceptance. So mitigating measures can be taken like having web application firewall or subscribing to a cloud provider like cloudflare to fend against web based attack.


Same applies if you need to run the services. In fact client of lower OS should slowly be deprecated or upgraded. Your priority would have to take a risk based approach to support the majority of updated client instead.

View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Krzysztof Kubiak

Hello mike99c

As serialband already mentioned TLS 1.2 is well supported.

I suggest you use the below tool as it gives a list of ciphers already Installedbin a glance

The Client and the Server before they do a Successfully Handshake they share the list of available cipher to choose the latest and most secure Encryption.

To find out what they are using now between your client and server when doing a RDP session Install on your PC Wireshark or Netmon (whatever suits).

1. Start capturing traffic
2. Do a RDP connection to server
3. Stop capturing traffic
4. In Wireshark filter the traffic by up.addr == ip_address_if_server
5. At the beginning of the communication you should see TLS traffic, successfully handshake traficc in the details of packet you will find the cipher they decided to use for encryption.

If your PC is a really old client I would suggest before disabling TLS to install latest Ciphers on few PCs so you will not loose RDP in case of problems. Once you find out what CIpoher you client are missing you can Google and find out if there are security patches for your client.

I saw that Microsoft few times even release patches for Windows Server 2003.

About Windows XP.  I don't know what your situation is. Why you would allow guests to connect to your network with a outdated OS. But there is not much you can do about it. Either you want to protect your servers/network or you want to have open holes for outdated OS.
Those Guests PC, what are they? Private machines of users or machines which you have control over and can apply patches?.
If it's the first one then you could  Install a blank windows XP use again Wireshark to find out the default cipher it has and leave you server open for hacking, or you can be strict and just not allow outdated Windows in your network.
If it's the second one then patch those windows machine then disable TLS.

Same is with Plesk. If you are concerned that the communication will break then patch that application if possible and then disable the old Ciphers.

If you struggle with the Wireshark log you can send me the example traffic privately (don't share Wireshark logs public)
Your help has saved me hundreds of hours of internet surfing.
Seth Simmons

No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

-- 'serialband' (https:#a42827174)
-- 'David Favor' (https:#a42826538)

If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

Experts-Exchange Cleanup Volunteer