Cipher suite madness

28 views
Skip to first unread message

Kurt Buff

unread,
Aug 13, 2025, 3:02:57 PMAug 13
to ntsys...@googlegroups.com
All,

Our VM suite is alerting TLS/SSL using 3DES. Specifically, it's showing that it's connecting on port 5986 (WinRM) with TLS_RSA_WITH_3DES_EDE_CBC_SHA for both TLS 1.1 and TLS 1.2

I've got a GPO that sets the SSL Cipher Suite Order here:
HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002

 It doesn't list any 3DES ciphers, and when I use the Get-TLSCipherSuite cmdlet, there are no 3DES ciphers listed.

However, I've found that cipher mentioned in Functions in in all of the following
HKLM\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\Default\00010002
HKLM\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002
HKLM\SYSTEM\CurrentControlSet\Control\Cryptography\Providers\Microsoft SSL Protocol Provider\KM\00010002
HKLM\SYSTEM\CurrentControlSet\Control\Cryptography\Providers\Microsoft SSL Protocol Provider\UM\00010002

Which of the above do I need to massage with new GPO settings?

Kurt

Henry Awad

unread,
Aug 13, 2025, 4:04:21 PMAug 13
to ntsys...@googlegroups.com
I used the instructions from MichaleMazey-2536 comment in this link How to disable 3DES and RC4 on Windows Server 2019? - Microsoft Q&A and got rid of all the 3DES ciphers. The GPO is applied to all my Windows server (2016 through 2022). You can also use IIS Crypto from Nartac Software (alos mentioned in the comments of the link) to remove unwanted ciphers but that's not easy to do on a large number of servers without scripting it. On a couple of servers, our vulnerability management suite kept showing that 3DES and RC4 were in use. It turned out that the application running on the server had its own settings to use these ciphers. After disabling them in the settings of the app, the vulnerability was cleared.

Hope this helps.
Henry

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce70NUL8BDtxGDWrJh5%2B9C6Y4TTKG7T2rjZTVLe7eA7g4g%40mail.gmail.com.

Kurt Buff

unread,
Aug 13, 2025, 4:13:19 PMAug 13
to ntsys...@googlegroups.com
Thanks for this link. I used the Nartac config as the starting point for the GPO, but I'll look over the article and try that.

Kurt

Henry Awad

unread,
Aug 13, 2025, 4:34:00 PMAug 13
to ntsys...@googlegroups.com
This is how my GPO looks like: 

image.png

And from the link, I added the following ciphers to the GPO for anyone looking to implement in their own environment..Be careful with any legacy application that relies on these old ciphers. You would need to exempt those servers from the GPO.
TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_NULL_SHA256,TLS_RSA_WITH_NULL_SHA,TLS_PSK_WITH_AES_256_GCM_SHA384,TLS_PSK_WITH_AES_128_GCM_SHA256,TLS_PSK_WITH_AES_256_CBC_SHA384,TLS_PSK_WITH_AES_128_CBC_SHA256,TLS_PSK_WITH_NULL_SHA384,TLS_PSK_WITH_NULL_SHA256

Henry


Kurt Buff

unread,
Aug 13, 2025, 6:01:33 PMAug 13
to ntsys...@googlegroups.com
Our cipher lists largely overlap, but there are differences. Somehow I don't think updating mine to match yours will fix this problem, but I'm going to try anyway.

Ciphers that your list has that mine doesn't:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA

Ciphers that my list has that yours doesn't:
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

Thanks,
Kurt

Dave Lum

unread,
Aug 19, 2025, 9:16:48 AMAug 19
to ntsys...@googlegroups.com

“It turned out that the application running on the server had its own settings to use these ciphers.” The first time I ran across this I thought I was going insane!

My other rookie mistake a few years back was not WMI filtering which made 2019 mad when we started rolling out that OS, I hadn’t considered (or really given much thought) to newer OS’s having newer ciphers, THEN I realized “well DUH”.

 

Dave Lum (he/him)

Systems Administrator III
P: 503.546.2163
E: lu...@ochin.org
A: 1881 SW Naito Parkway, Portland, OR 97201


Facebook LinkTwitter LinkLinkedin Link www.ochin.org
OCHIN email

 

 

 

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Henry Awad
Sent: Wednesday, August 13, 2025 1:04 PM
To: ntsys...@googlegroups.com
Subject: Re: [ntsysadmin] Cipher suite madness

 

CAUTION: This email originated from outside of OCHIN’s network

Do not click links or open attachments unless you recognize the sender and know the content is safe. If you suspect this email is phishing or a scam, use the report button in the Outlook toolbar to report it to Desktop Support.

 

Attention: Information contained in this message and or attachments is intended only for the recipient(s) named above and may contain confidential and or privileged material that is protected under State or Federal law. If you are not the intended recipient, any disclosure, copying, distribution or action taken on it is prohibited. If you believe you have received this email in error, please contact the sender with a copy to compl...@ochin.org, delete this email and destroy all copies.
Reply all
Reply to author
Forward
0 new messages