Update Cipher Suite In Windows Server 2016

 

For Windows 10, version 1607 and Windows Server 2016, the following cipher suites are enabled and in this priority order by default using the Microsoft Schannel Provider:

TABLE 1

Cipher suite string

Allowed by SCH_USE_STRONG_CRYPTO

TLS/SSL Protocol versions

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

Yes

TLS 1.2

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

Yes

TLS 1.2

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

Yes

TLS 1.2

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

Yes

TLS 1.2

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

Yes

TLS 1.2

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

Yes

TLS 1.2

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

Yes

TLS 1.2

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

Yes

TLS 1.2

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

Yes

TLS 1.2

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

Yes

TLS 1.2

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

Yes

TLS 1.2, TLS 1.1, TLS 1.0

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

Yes

TLS 1.2, TLS 1.1, TLS 1.0

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

Yes

TLS 1.2, TLS 1.1, TLS 1.0

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

Yes

TLS 1.2, TLS 1.1, TLS 1.0

TLS_DHE_RSA_WITH_AES_256_CBC_SHA

Yes

TLS 1.2, TLS 1.1, TLS 1.0

TLS_DHE_RSA_WITH_AES_128_CBC_SHA

Yes

TLS 1.2, TLS 1.1, TLS 1.0

TLS_RSA_WITH_AES_256_GCM_SHA384

Yes

TLS 1.2

TLS_RSA_WITH_AES_128_GCM_SHA256

Yes

TLS 1.2

TLS_RSA_WITH_AES_256_CBC_SHA256

Yes

TLS 1.2

TLS_RSA_WITH_AES_128_CBC_SHA256

Yes

TLS 1.2

TLS_RSA_WITH_AES_256_CBC_SHA

Yes

TLS 1.2, TLS 1.1, TLS 1.0

TLS_RSA_WITH_AES_128_CBC_SHA

Yes

TLS 1.2, TLS 1.1, TLS 1.0

TLS_RSA_WITH_3DES_EDE_CBC_SHA

Yes

TLS 1.2, TLS 1.1, TLS 1.0

TLS_DHE_DSS_WITH_AES_256_CBC_SHA256

Yes

TLS 1.2

TLS_DHE_DSS_WITH_AES_128_CBC_SHA256

Yes

TLS 1.2

TLS_DHE_DSS_WITH_AES_256_CBC_SHA

Yes

TLS 1.2, TLS 1.1, TLS 1.0

TLS_DHE_DSS_WITH_AES_128_CBC_SHA

Yes

TLS 1.2, TLS 1.1, TLS 1.0

TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA

Yes

TLS 1.2, TLS 1.1, TLS 1.0, SSL 3.0

TLS_RSA_WITH_RC4_128_SHA

No

TLS 1.2, TLS 1.1, TLS 1.0, SSL 3.0

TLS_RSA_WITH_RC4_128_MD5

No

TLS 1.2, TLS 1.1, TLS 1.0, SSL 3.0

TLS_RSA_WITH_NULL_SHA256
Only used when application explicitly requests.

No

TLS 1.2

TLS_RSA_WITH_NULL_SHA
Only used when application explicitly requests.

No

TLS 1.2, TLS 1.1, TLS 1.0, SSL 3.0

 

The following cipher suites are supported by the Microsoft Schannel Provider, but not enabled by default:

TABLE 2

Cipher suite string

Allowed by SCH_USE_STRONG_CRYPTO

TLS/SSL Protocol versions

TLS_RSA_WITH_DES_CBC_SHA

No

TLS 1.2, TLS 1.1, TLS 1.0, SSL 3.0

TLS_RSA_EXPORT1024_WITH_RC4_56_SHA

No

TLS 1.2, TLS 1.1, TLS 1.0, SSL 3.0

TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA

No

TLS 1.2, TLS 1.1, TLS 1.0, SSL 3.0

TLS_RSA_EXPORT_WITH_RC4_40_MD5

No

TLS 1.2, TLS 1.1, TLS 1.0, SSL 3.0

TLS_RSA_WITH_NULL_MD5
Only used when application explicitly requests.

No

TLS 1.2, TLS 1.1, TLS 1.0, SSL 3.0

TLS_DHE_DSS_WITH_DES_CBC_SHA

No

TLS 1.2, TLS 1.1, TLS 1.0, SSL 3.0

TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA

No

TLS 1.2, TLS 1.1, TLS 1.0, SSL 3.0

 

Beginning in Windows 10, version 1607 and Windows Server 2016, the following PSK cipher suites are enabled and in this priority order by default using the Microsoft Schannel Provider:

TABLE 3

Cipher suite string

Allowed by SCH_USE_STRONG_CRYPTO

TLS/SSL Protocol versions

TLS_PSK_WITH_AES_256_GCM_SHA384

Yes

TLS 1.2

TLS_PSK_WITH_AES_128_GCM_SHA256

Yes

TLS 1.2

TLS_PSK_WITH_AES_256_CBC_SHA384

Yes

TLS 1.2

TLS_PSK_WITH_AES_128_CBC_SHA256

Yes

TLS 1.2

TLS_PSK_WITH_NULL_SHA384

No

TLS 1.2

TLS_PSK_WITH_NULL_SHA256

No

TLS 1.2

 

 Note

No PSK cipher suites are enabled by default. Applications need to request PSK using SCH_USE_PRESHAREDKEY_ONLY. For more information on Schannel flags

 

To add cipher suites, either deploy a group policy or use the TLS cmdlets:

·         To use group policy, configure SSL Cipher Suite Order under Computer Configuration > Administrative Templates > Network > SSL Configuration Settings with the priority list for all cipher suites you want enabled.


How to Update Your Windows Server Cipher Suite for Better Security

Update Your Cipher Suite

We’ve covered the background, now let’s get our hands dirty. Updating the suite of options your Windows server provides isn’t necessarily straightforward, but it definitely isn’t hard either.

 To start, press Windows Key + R to bring up the “Run” dialogue box. Type “gpedit.msc” and click “OK” to launch the Group Policy Editor. This is where we’ll make our changes.

On the left hand side, expand Computer Configuration, Administrative Templates, Network, and then click on SSL Configuration Settings.

On the right hand side, double click on SSL Cipher Suite Order.



By default, the “Not Configured” button is selected. Click on the “Enabled” button to edit your server’s Cipher Suites.


The SSL Cipher Suites field will fill with text once you click the button. If you want to see what Cipher Suites your server is currently offering, copy the text from the SSL Cipher Suites field and paste it into Notepad. The text will be in one long, unbroken string. Each of the encryption options is separated by a comma. Putting each option on its own line will make the list easier to read.

 

Before implementing the below ciphers confirm that your applications will not get effected from this.

 Priority Order

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256

 

No comments:

Post a Comment