7

I want to disable RC4 in Windows Server 2012. From this link, I should disable the registry key or RC*

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC*]

But I am not able to find anything under 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\

Any idea?

Also I checked the security update No. 2868725 and did not find it in the Windows Update history although it is up to date.

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
Homam
  • 253
  • 1
  • 3
  • 7
  • are you using windows server 2012 r2? If so RC4 is disabled by default. –  Apr 10 '15 at 09:08
  • This is related to this link http://serverfault.com/questions/580930/how-to-disable-sslv2-or-sslv3 I recomend you to use 'iis crypto' it can seem that it's specific to IIS, but, as the changes are in the registry, they apply to all the system. – Carlos Garcia Dec 15 '15 at 12:45

3 Answers3

14

RC4 is not disabled by default in Server 2012 R2. It only has "the functionality to restrict the use of RC4" build in. You will have to set the required registry keys by your own:

The RC4 cipher can be completely disabled on Windows platforms by setting the "Enabled" (REG_DWORD) entry to value 00000000 in the following registry locations: • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128 • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128 • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128

https://social.technet.microsoft.com/Forums/en-US/faad7dd2-19d5-4ba0-bd3a-fc724d234d7b/how-to-diable-rc4-is-windows-2012-r2?forum=winservergen

Salcho Bob
  • 156
  • 1
  • 4
  • 3
    This should be marked as the only correct answer. The other leaves you vulnerable. It is NOT disabled by default. – Tony Wall Sep 24 '15 at 04:25
1

As you're using Windows Server 2012 R2 RC4 is disabled by default.

Citation:

Does this update apply to Windows 8.1, Windows Server 2012 R2, or Windows RT 8.1?
No. This update does not apply to Windows 8.1, Windows Server 2012 R2, or Windows RT 8.1 because these operating systems already include the functionality to restrict the use of RC4.

Technet Article.

SEJPM
  • 367
  • 5
  • 16
  • 4
    Not according to the test at ssllabs. The other answer is correct. Additionally you have to disable SSL3. I only learnt about that via their scanning too which I recommend: https://www.ssllabs.com/ssltest/ – Tony Wall Sep 24 '15 at 04:24
  • 2
    That comment is about a patch that allows disabling RC4, It is saying that 2012R2 doesn't need the patch because by default it *allows* disabling. However by default RC4 is *NOT* disabled. – Mark Oct 08 '15 at 22:12
1

For anyone who wants to do this using powershell, it is a bit trickier than other registry keys because of the forward slash in the key names. I used the following fragment to get it to work:

$schannel = Get-Item HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
$ciphers = $schannel.OpenSubKey('Ciphers', $true)
$key = $ciphers.CreateSubKey('RC4 40/128')
$key.SetValue('Enabled', 0x0)
$key = $ciphers.CreateSubKey('RC4 56/128')
$key.SetValue('Enabled', 0x0)
$key = $ciphers.CreateSubKey('RC4 128/128')
$key.SetValue('Enabled', 0x0)

One item to take note of, you have to open $ciphers as a subkey with the second parameter set to true so that you can actually write to it. Get-Item seems to give back a read only copy and CreateSubKey will fail unless you have a writable key object. There is more discussion about path elements in a subkey here.

Prof Von Lemongargle
  • 348
  • 3
  • 10