6

To be compliant with security best practices, we have a requirement to disable RC4 ciphers.

I have investigated a way to achieve this and, found that I can disable it by editing the registry keys.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
“Enabled”=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
“Enabled”=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
“Enabled”=dword:00000000

Also I have found that I can remove the cipher suites that contains RC4 by editing the GPO, Computer Configuration > Administrative Templates > Network > SSL Configuration Settings,

My question is: What is the best way to remove support for a ciphers. By deleting all the cipher suites that contain the cipher in the GPO or the only way to remove support for a cipher is via modifying the keys in regedit.

Yorick de Wid
  • 3,346
  • 14
  • 22
kimo pryvt
  • 469
  • 4
  • 6
  • 12
  • 3
    Remove support for a cipher from where? Remove support, or merely ensure that the cipher is not used? Please [edit] to clarify. Also, I'm not sure if this is really a good fit for our scope, or if it might be better asked on [su] or [sf]; I guess we'll see. Though kudos for adhering to [RFC 7465](https://tools.ietf.org/html/rfc7465). – user Sep 09 '16 at 21:16
  • **Remove support for a cipher from where?** I need to avoid client computer and servers from using RC4, **Remove support, or merely ensure that the cipher is not used?** i dont understand what do you mean with remove support – kimo pryvt Sep 09 '16 at 21:25

1 Answers1

9

RC4 is an algorythm, not some piece of software. It's the same difference between an idea and a book: you can attempt to suppress a book that carries a specific idea but you cannot suppress the idea itself.

Likewise, you cannot globally disable RC4 with a registry edit. At best, you will instruct software that reads that registry key not to use RC4.

Specifically, what you're doing with this registry entry (the GPO is just a way to propagate a registry edit to a domain) is instruct software that uses the Windows secure channel API for establishing a TLS/SSL connection from using it by default. Software that do not use SChannel or software that do not let the SChannel subsystem auto-negociate an SSL connection will not be affected.

For instance, setting these registry entries will prevent an IIS web server from using the RC4 cipher but will do nothing about a Tomcat server.

Conclusion: it is impossible to globally prevent the use of RC4. You should refocus your question by specifying exactly what software you want to restrict. Such a question would be more suited, however, to serverfault.com or superuser.com

Stephane
  • 18,557
  • 3
  • 61
  • 70