How disable “weak crypto” in MS IIS? (2024)

Table of Contents
What is considered a “weak crypto”? Why is it a security issue? How to fix it? Disable SSLv2 Disable SSLv3: Disable PCTv1 (only Windows 2003 or lower; PCT is not supported on Windows 2008 and newer) Make sure that only TLS 1.0, TLS 1.1 and TLS 1.2 are enabled Disable export ciphers, NULL ciphers, RC2 and RC4 Completely disable MD5 hash function Force server not to respond to renegotiation requests from client Setup SSL cipher suite via Group Policy (IIS7 or higher)

Permanent link:

See Also
Security Sessions: Exploring Weak Ciphers - An Explanation and an Example

https://auditsquare.com/advisory/windows/iis-disable-weak-crypto

What is considered a “weak crypto”?

In general you should avoid:

  • SSL protocol version v2, v3 and PCT v1
  • Symmetric ciphers with keys shorter than 128bit (also known as export ciphers)
  • Weak ciphers - like RC2, RC4
  • Weak hash functions - like MD5

Why is it a security issue?

Especially SSL/TLS has not been having a good time lately. You have probably heard of well-known vulnerabilities like Heartbleed, BEAST, CRIME, POODLE, FREAK or Logjam attack.

How to fix it?

All the following changes are made via regedit (as Administrator). In the end you will need to restart the server.

Disable SSLv2

  • go to HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server; create the key if it does not exist
  • set DWORD value Enabled to 0 (or create the value if it does not exist)
  • make sure that DWORD value DisabledByDefault (if exists) is set it to 1
  • it is also advisable to disable SSLv2 for client authentication: repeat the above steps for the key HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client

Disable SSLv3:

  • go to HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server; create the key if it does not exist
  • make sure that DWORD value Enabled exists and is set it to 0
  • make sure that DWORD value DisabledByDefault (if exists) is set it to 1
  • it is also advisable to disable SSLv3 for client authentication: repeat the above steps for the key HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client

Disable PCTv1 (only Windows 2003 or lower; PCT is not supported on Windows 2008 and newer)

  • go to HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server; create the key if it does not exist
  • set DWORD value Enabled to 0 (or create the value if it does not exist)
  • make sure that DWORD value DisabledByDefault (if exists) is set it to 1

Make sure that only TLS 1.0, TLS 1.1 and TLS 1.2 are enabled

TLS 1.0

  • go to HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server; create the key if it does not exist
  • make sure that DWORD value Enabled exists and is set it to 1
  • make sure that DWORD value DisabledByDefault (if exists) is set it to 0

TLS 1.1 (requires Windows 7, Windows 2008 R2 or higher):

  • go to HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server; create the key if it does not exist
  • make sure that DWORD value Enabled exists and is set it to 1
  • make sure that DWORD value DisabledByDefault (if exists) is set it to 0

TLS 1.2 (requires Windows 7, Windows 2008 R2 or higher):

  • go to HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server; create the key if it does not exist
  • make sure that DWORD value Enabled exists and is set it to 1
  • make sure that DWORD value DisabledByDefault (if exists) is set it to 0

Disable export ciphers, NULL ciphers, RC2 and RC4

  • go to HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL and set DWORD value Enabled to 0.
  • go to HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56 and set DWORD value Enabled to 0.
  • go to HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128 and set DWORD value Enabled to 0.
  • go to HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128 and set DWORD value Enabled to 0.
  • go to HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128 and set DWORD value Enabled to 0.
  • go to HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128 and set DWORD value Enabled to 0.
  • go to HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128 and set DWORD value Enabled to 0.
  • go to HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128 and set DWORD value Enabled to 0.
  • go to HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128 and set DWORD value Enabled to 0.

If any of the above-mentioned registry keys and/or Enabled vales do not exist, create them.

Completely disable MD5 hash function

  • go to HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5 (create the key if it does not exist) and set DWORD value Enabled to 0 (or create the value if it does not exist).

Force server not to respond to renegotiation requests from client

Make sure you have installed a hotfix for MS10-049 see http://support.microsoft.com/kb/980436 (Windows XP, 2003, 7, Vista, 2008, 2008r2)

  • go to HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
  • create DWORD value AllowInsecureRenegoClients and set it to 0
  • create DWORD value AllowInsecureRenegoServers and set it to 0
  • create DWORD value DisableRenegoOnServer and set it to 1
  • create DWORD value UseScsvForTls and set it to 1 (Win XP, 2003, Vista and 2008)

Setup SSL cipher suite via Group Policy (IIS7 or higher)

  • start gpedit.msc (as Administrator)
  • go to Computer Configuration ›› Admin Templates ›› Network ›› SSL Configuration Settings ›› SSL Cipher Suite Order
  • set to this value (really this long string without spaces): TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA

Here is the same list one item per line:

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521TLS_DHE_DSS_WITH_AES_128_CBC_SHA256TLS_DHE_DSS_WITH_AES_256_CBC_SHA256TLS_DHE_DSS_WITH_AES_256_CBC_SHATLS_DHE_DSS_WITH_AES_128_CBC_SHATLS_DHE_DSS_WITH_3DES_EDE_CBC_SHATLS_RSA_WITH_AES_256_CBC_SHA256TLS_RSA_WITH_AES_128_CBC_SHA256TLS_RSA_WITH_AES_256_CBC_SHATLS_RSA_WITH_AES_128_CBC_SHATLS_RSA_WITH_3DES_EDE_CBC_SHA (Windows XP with IE8 needs this cipher suite)

IMPORTANT: put TLS_ECDHE_.. on the top to asure SSL Perfect Forward Secrecy and to prevent Longjam attack.

Avoid .._NULL_.., .._MD5, .._RC4_..

How disable “weak crypto” in MS IIS? (2024)
Top Articles
5 Things to Know About the X1 Card - NerdWallet
Disagree with a tax decision or penalty
Beverlyvega Cam
Burch Messier Funeral Home Bedford Va Obituaries
Mujeres Prepago Puerto Rico
Handbook of drug-nutrient interactions - PDF Free Download
Ups Access Point Lockers
Tory Lanez Chixtape 5 Download Fakaza
683 Job Calls
Academic calendar 2023 - 2024 - student.uva.nl
Csulb Financial Aid Office Hours
Stranded Alien Dawn Cave Dweller
The Forum View From My Seat
Medici Vermittlung GmbH sucht Facharzt (m/w/d) | Gynäkologie und Geburtshilfe (8662) in Cottbus | LinkedIn
Oracle Ttec Direct Deposit
Current Students
Scout Haven Ruins
Votan's Minimap
'The Drew Barrymore Show' sets return: Everything you need to know
Downloahub
Hocus Pocus Showtimes Near Harkins Theatres Yuma Palms 14
Oh When Your Cold I'll Be There
Thule Racks & Gear - Rack Attack
Gross Net Salary Calculator Germany - 2024
2057781313
BWW Interview: Marilu Henner Talks THE MARILU HENNER SHOW, Her Highly Superior Autobiographical Memory & More!
Vaathi Movie Download Masstamilan
The Philadelphia Inquirer from Philadelphia, Pennsylvania
Recruiting: Alabama trying to flip Michigan football's top 2025 commit
Whole Foods Amarillo Texas
Craigslist For Cleveland Ohio
Stewartville Star Obituaries
Orange Door 8000 Price
Mchoul Funeral Home Of Fishkill Inc. Services
Craigslist Derry Nh
Is Buffalo Bills Singletary Related To Mike Singletary
Amari Cooper Pfr
Amazon Ups Drop Off Locations Near Me
Galaxy World 999
Games Like Mythic Manor
Tvlistings.com
Sam's Club Gas Price Mechanicsburg Pa
8 1944 1945 Jerome Weidman Playwright Skippy Adelman Old Photo Negative Lot 393A for Sale
How to Sell Cars on Craigslist: A Guide for Car Dealers | ACV Auctions
Cvs Newr.me
Mister Guns Plano Range
Mangadex.oeg
Registrar - New York Law School
Rawdogriley
Point2 Homes Costa Rica
Google Flights Msp To Fort Myers
Retail Jobs For Teens Near Me
Latest Posts
How To Cancel Plans Without Problems
Wealthsimple Review 2024
Article information

Author: Lidia Grady

Last Updated:

Views: 6686

Rating: 4.4 / 5 (65 voted)

Reviews: 80% of readers found this page helpful

Author information

Name: Lidia Grady

Birthday: 1992-01-22

Address: Suite 493 356 Dale Fall, New Wanda, RI 52485

Phone: +29914464387516

Job: Customer Engineer

Hobby: Cryptography, Writing, Dowsing, Stand-up comedy, Calligraphy, Web surfing, Ghost hunting

Introduction: My name is Lidia Grady, I am a thankful, fine, glamorous, lucky, lively, pleasant, shiny person who loves writing and wants to share my knowledge and understanding with you.