Remediate Specific Cipher and TLS/SSL Vulnerabilities in Windows

If you’ve ever had to remediate server security vulnerabilities related to ciphers and protocols, you know it can be tricky to figure out exactly how to get it done. There’s lots of info about how to enable specific ciphers in Windows, but it is more difficult to figure out how to explicitly disable things, and if you’re new to the world of ciphers & protocols, even knowing what to disable/enable can be confusing. To hopefully save you some searches and lots of trial & error, here are the solutions to three issues I’ve often come across which aren’t as well documented on the ‘net as they could be.

(These examples were taken from a vulnerability report generated by Rapid7’s Nexpose, but I would expect other tools to have similar language. This was specifically tested (in this order) on a Windows 2012 R2 server, but it should work on other versions as well.)

 

Issue #1: “TLS/SSL Server is enabling the BEAST attack” and other vulnerabilities that tell you to “disable insecure TLS/SSL protocol support.”

Nexpose’s recommended vulnerability solutions: “Disable SSLv2, SSLv3, and TLS 1.0. The best solution is to only have TLS 1.2 enabled.”

Actual solution:

Add the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client\DisabledByDefault (DWORD: 1)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client\Enabled (DWORD: 0)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server\DisabledByDefault (DWORD: 1)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server\Enabled (DWORD: 0)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client\DisabledByDefault (DWORD: 1)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client\Enabled (DWORD: 0)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server\DisabledByDefault (DWORD: 1)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server\Enabled (DWORD: 0)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\DisabledByDefault (DWORD: 0)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\Enabled (DWORD: 1)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server\DisabledByDefault (DWORD: 0)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server\Enabled (DWORD: 1)

 

Issue #2: “TLS/SSL Birthday attacks on 64-bit block ciphers (SWEET32)” and “TLS/SSL Server Supports 3DES Cipher Suite”

Nexpose’s recommended vulnerability solutions: “Disable TLS/SSL support for 3DES cipher suite.”

Actual solution: Add this registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168\Enabled (DWORD: 0)

 

Issue #3: “TLS/SSL Server Supports The Use of Static Key Ciphers”

Nexpose’s recommended vulnerability solutions: “Disable TLS/SSL support for static key cipher suites”

Actual solution: Add this registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS\Enabled (DWORD: 0)