1

I am using a MEMCM Task Sequence to build servers running Windows Server 2019. So far, I build 22 servers with this OS. At the end of OSD, on 20 of them I have only 10 cipher suites available for use.

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA

On the two servers with more cipher suites, I have the 31 following cipher suites available.

TLS_AES_256_GCM_SHA384
TLS_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_NULL_SHA256
TLS_RSA_WITH_NULL_SHA
TLS_PSK_WITH_AES_256_GCM_SHA384
TLS_PSK_WITH_AES_128_GCM_SHA256
TLS_PSK_WITH_AES_256_CBC_SHA384
TLS_PSK_WITH_AES_128_CBC_SHA256
TLS_PSK_WITH_NULL_SHA384
TLS_PSK_WITH_NULL_SHA256

On the servers with the limited set of ciphers suites, I have added the required registry keys to enable TLS 1.2 in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2 and performed a reboot but there's still nothing more. And on the servers with the 31 cipher suites, I don't know what has been changed so they are available. I have also tried to use Enable-TlsCipherSuite -Name XXX with no success. Finally, the servers are updated with the august 2020 updates.

Any idea why there are missing ciphers and how I can add them?

Tuttu
  • 21
  • 1
  • 5

3 Answers3

1

TLS 1.2 is enabled by default.

The registry key for ciphers is:

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers

https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/demystifying-schannel/ba-p/259233

Greg Askew
  • 35,880
  • 5
  • 54
  • 82
  • Thanks for that bit of information. What I don't understand is why my servers don't have all the default cipher suites available after OSD. I'm using [this list](https://docs.microsoft.com/en-us/windows/win32/secauthn/tls-cipher-suites-in-windows-10-v1809) for reference. (Windows Server 2019 is based on the 1809 version) – Tuttu Aug 17 '20 at 12:47
1

Stupid reason. There was an old GPO that's limiting the cipher list to that 10 ciphers. rsop was showing nothing but gpresult /h was showing what I needed. :)

Tuttu
  • 21
  • 1
  • 5
  • Was this a system or custom gpo, can you please share where you found this old policy. I am having a similar issue after enabling them via 'Enable-TlsCipherSuite -Name XXX' – Jeffrey Holmes Oct 26 '22 at 02:26
  • Hello @JeffreyHolmes ! There are two GPO that are native to Windows Server. You can find more information on how to use them on this Microsoft Learn page: https://learn.microsoft.com/en-us/windows-server/security/tls/manage-tls#configuring-tls-cipher-suite-order-by-using-group-policy They are located under : Computer Configuration > Administrative Templates > Network > SSL Configuration Settings. – Tuttu Oct 27 '22 at 06:24
0

You can simply use IIS Crypto. Use this tool for enabling, disabling ciphersuites and change there order. https://www.nartac.com/Products/IISCrypto/Download

ComputerBas
  • 122
  • 8