Cipher suite madness

[Kurt Buff]

All,

Our VM suite is alerting TLS/SSL using 3DES. Specifically, it's showing that it's connecting on port 5986 (WinRM) with TLS_RSA_WITH_3DES_EDE_CBC_SHA for both TLS 1.1 and TLS 1.2

I've got a GPO that sets the SSL Cipher Suite Order here:

HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002

 It doesn't list any 3DES ciphers, and when I use the Get-TLSCipherSuite cmdlet, there are no 3DES ciphers listed.

However, I've found that cipher mentioned in Functions in in all of the following

HKLM\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\Default\00010002

HKLM\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002

HKLM\SYSTEM\CurrentControlSet\Control\Cryptography\Providers\Microsoft SSL Protocol Provider\KM\00010002

HKLM\SYSTEM\CurrentControlSet\Control\Cryptography\Providers\Microsoft SSL Protocol Provider\UM\00010002

Which of the above do I need to massage with new GPO settings?

Kurt

[Henry Awad]

I used the instructions from MichaleMazey-2536 comment in this link How to disable 3DES and RC4 on Windows Server 2019? - Microsoft Q&A and got rid of all the 3DES ciphers. The GPO is applied to all my Windows server (2016 through 2022). You can also use IIS Crypto from Nartac Software (alos mentioned in the comments of the link) to remove unwanted ciphers but that's not easy to do on a large number of servers without scripting it. On a couple of servers, our vulnerability management suite kept showing that 3DES and RC4 were in use. It turned out that the application running on the server had its own settings to use these ciphers. After disabling them in the settings of the app, the vulnerability was cleared.

Hope this helps.

Henry

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce70NUL8BDtxGDWrJh5%2B9C6Y4TTKG7T2rjZTVLe7eA7g4g%40mail.gmail.com.

[Kurt Buff]

Thanks for this link. I used the Nartac config as the starting point for the GPO, but I'll look over the article and try that.

Kurt

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CAGaCHK74qx_Ngmf2rkw1mnkoPqXHBHd89wScsVkYrAyg%3DYnHJQ%40mail.gmail.com.

[Henry Awad]

This is how my GPO looks like: 

And from the link, I added the following ciphers to the GPO for anyone looking to implement in their own environment..Be careful with any legacy application that relies on these old ciphers. You would need to exempt those servers from the GPO.

TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_NULL_SHA256,TLS_RSA_WITH_NULL_SHA,TLS_PSK_WITH_AES_256_GCM_SHA384,TLS_PSK_WITH_AES_128_GCM_SHA256,TLS_PSK_WITH_AES_256_CBC_SHA384,TLS_PSK_WITH_AES_128_CBC_SHA256,TLS_PSK_WITH_NULL_SHA384,TLS_PSK_WITH_NULL_SHA256

Henry

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce4ErMqGAGM%2BoRwbmp5reeqPsmcyRciRC4TFbs74p-0%2BPA%40mail.gmail.com.

[Kurt Buff]

Our cipher lists largely overlap, but there are differences. Somehow I don't think updating mine to match yours will fix this problem, but I'm going to try anyway.

Ciphers that your list has that mine doesn't:

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA

Ciphers that my list has that yours doesn't:
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

Thanks,

Kurt

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CAGaCHK7XTtkRNT3rigFACBPLPqsdeew4Bb%3D5Bd4dOb3pK7Z8bg%40mail.gmail.com.

[Dave Lum]

“It turned out that the application running on the server had its own settings to use these ciphers.” The first time I ran across this I thought I was going insane!

My other rookie mistake a few years back was not WMI filtering which made 2019 mad when we started rolling out that OS, I hadn’t considered (or really given much thought) to newer OS’s having newer ciphers, THEN I realized “well DUH”.

 

Dave Lum (he/him)

Systems Administrator III
P: 503.546.2163
E: lu...@ochin.org
A: 1881 SW Naito Parkway, Portland, OR 97201

 www.ochin.org

 

 

 

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Henry Awad
Sent: Wednesday, August 13, 2025 1:04 PM
To: ntsys...@googlegroups.com
Subject: Re: [ntsysadmin] Cipher suite madness

 

CAUTION: This email originated from outside of OCHIN’s network

Do not click links or open attachments unless you recognize the sender and know the content is safe. If you suspect this email is phishing or a scam, use the report button in the Outlook toolbar to report it to Desktop Support.

 

To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/CAGaCHK74qx_Ngmf2rkw1mnkoPqXHBHd89wScsVkYrAyg%3DYnHJQ%40mail.gmail.com.

Attention: Information contained in this message and or attachments is intended only for the recipient(s) named above and may contain confidential and or privileged material that is protected under State or Federal law. If you are not the intended recipient, any disclosure, copying, distribution or action taken on it is prohibited. If you believe you have received this email in error, please contact the sender with a copy to compl...@ochin.org, delete this email and destroy all copies.