Wednesday, February 8, 2017

Disable RC4 on Windows Servers

The 13 year old RC4 cipher exploit is enabled by default on Server 2012 R2.  If you have a IIS server using a digital certificate facing the Internet, it's recommended to disable RC4 cipher.

There are numerous security concerns documented on the Internet about this vulnerability including:

https://threatpost.com/attack-exploits-weakness-rc4-cipher-decrypt-user-sessions-031413/77628/

http://www.securityweek.com/new-attack-rc4-based-ssltls-leverages-13-year-old-vulnerability

To disable this vulnerability, add the following to the registry on your Server 2012 R2 operating system:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
"Enabled"=dword:00000000

To disable this vulnerability, add the following to the registry on your Server 2012 R2 operating system:


This was put in place on a customers RDS  Gateway and Web Access server after conducting a penetration test and finding this vulnerability enabled by default.

No comments:

Post a Comment