How to disable 3DES and RC4 on Windows Server 2019?

Kartheen E 51

Could some let me know How to disable 3DES and RC4 on Windows Server 2019? and is there any patch for disabling these. I am trying to fix this vulnerability CVE-2016-2183.

Jerald Sagayaraj 16 Reputation points

2022-12-23T16:23:45.677+00:00

Hi kartheen,
I'm facing similar issue like you in windows 2016 Datacentre Azure VM.
Tried all the steps for removing DES, 3DES and RC4 ciphers and it is not even present in our functions but still running find cmd gives as those ciphers are available. Can you let me know what has fixed for you?

TLS_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_NULL_SHA256
TLS_PSK_WITH_AES_256_GCM_SHA384
TLS_PSK_WITH_AES_128_GCM_SHA256
TLS_PSK_WITH_AES_256_CBC_SHA384
TLS_PSK_WITH_AES_128_CBC_SHA256
TLS_PSK_WITH_NULL_SHA384
TLS_PSK_WITH_NULL_SHA256
TLS_AES_256_GCM_SHA384

Accepted answer

Daisy Zhou 27,281 Reputation points Microsoft Vendor

2021-04-08T03:16:31.347+00:00

Hello @Kartheen E ,

Thank you for posting here.

Could some let me know How to disable 3DES and RC4 on Windows Server 2019?
A: We can check all the ciphers on one machine by running the command.

Get-TlsCipherSuite >c:\cipher.txt

Or we can check only 3DES cipher or RC4 cipher by running commands below.

We can disable 3DES and RC4 ciphers by removing them from registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002 and then restart the server.

For example in my lab:

I am sorry I can not find any patch for disabling these.

Should you have any question or concern, please feel free to let us know.

Best Regards,
Daisy Zhou
Please sign in to rate this answer.

5 people found this answer helpful.
Kartheen E 51 Reputation points

2021-04-08T15:03:23.487+00:00

@Daisy Zhou

I do not see 3DES or RC4 in my registry list. please see below. Is there any other method to disable 3DES and RC4?

Daisy Zhou 27,281 Reputation points Microsoft Vendor

2021-04-09T01:13:52.723+00:00

Hello @Kartheen E ,
Thank you for your update.
Please pull down the scroll wheel on the right to find

If you find it, you can remove it.

And run Get-TlsCipherSuit -Name RC4 to check RC4.

Best Regards,
Daisy Zhou

DPerry 6 Reputation points

2021-12-30T15:49:24.387+00:00

The recommendations presented here confused me a bit and the way to remove a particular Cipher Suite does not appear to be in this thread, so I am adding this for (hopefully) more clarity.

Performed on Server 2019.
The registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002" shows the availabe cypher suites on the server. You can't remove them from there however.
To remove a cypher suite, use the PowerShell command 'Disable-TlsCipherSuite -Name <name of the suite>'.

For example;
I see these suites in the registry, but don't want 'TLS_RSA_WITH_3DES_EDE_CBC_SHA'.

]1

To remove that suite I run; Disable-TlsCipherSuite -Name "TLS_RSA_WITH_3DES_EDE_CBC_SHA" in PowerShell.
When I reopen the registry and look at that key again, I see that my undesired suite is now missing.

A reboot may be needed, to make this change functional. I could not test that part.

Atuldeep Mann 0 Reputation points

2023-10-16T12:02:21.4933333+00:00

Hi All,

I have disabled 3DES and RC4 ciphers by removing them from registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002 and then restart the server but still it comes in the vulnerability report.

Kindly suggest further solution.

T, Deepakraj 0 Reputation points

2024-12-20T14:43:57.05+00:00

Can I apply similar approach on Windows server 2016 also for the remediation ?
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

6 additional answers

Anonymous

2021-04-07T20:28:53.28+00:00

Something here may help.
https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/restrict-cryptographic-algorithms-protocols-schannel

--please don't forget to Accept as answer if the reply is helpful--
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Najam ul Saqib 340 Reputation points

2024-11-02T02:26:04.7666667+00:00

I was able to resolve the problem using IISCrypt best practices option on 2016 server, the server worked fine after reboot, no problem with RDP and the vulnerabilities didn't appear in next scan as well.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

How to disable 3DES and RC4 on Windows Server 2019?

6 additional answers

Your answer