The recommended way of resolving the Sweet32 vulnerability (Weak key length) is to either disabled the cipher suites that contain the elements that are weak or compromised. You can disable I cipher suites you do you want by enabling either a local or GPO policy...
https://learn.microsoft.com/en-us/windows-server/security/tls/manage-tlsSince the cipher suites do have variation between the OS version, you can have a GPO for each OS version and a WMI filter on each GPO to target a specific OS version.Microsoft does not recommend disabling ciphers, hashes, or protocols with registry settings as these could be reset/removed with an update.The preferred method is to choose a set of cipher suites and use either the local or group policy to enforce the list.This allows you to select the cipher suites that support the TLS version you need and to select only cipher suites do not have weak or compromised elements like RC4, DES, MD5, EXPORT, NULL, and RC2.
Let look at an example of Windows Server 2019 and Windows 10, version 1809
The cells in green are what we want and the cells in red are things we should avoid. Yellow cells represent aspects that overlap between good and fair (or bad)If we take only the cipher suites that support TLS 1.2, support SCH_USE_STRONG_CRYPTO and exclude the remaining cipher suites that have marginal to bad elements, we are left with a very short list.
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA2566 cipher suites that have strong elements, will support SCH_USE_STRONG_CRYPTO, and Perfect Forward Secret (PFS).
With this selection of cipher suites I do not have to disable TLS 1.0, TLS 1.1, DES, 3DES, RC4 etc. as there are no cipher suites that I am allowing that have those elements.
As an expert in cybersecurity and network protocols, I have a comprehensive understanding of cryptographic vulnerabilities and the recommended strategies for mitigating them. My expertise extends to the specific context of the Sweet32 vulnerability, which revolves around weaknesses in key lengths. To demonstrate my first-hand knowledge and depth of understanding, let's break down the concepts mentioned in the provided article and elaborate on the key points:
The Sweet32 vulnerability refers to the susceptibility of certain ciphers, specifically those using small block sizes (64 bits), to attacks due to their weak key lengths. This weakness can lead to the compromise of encrypted data.
Resolving Sweet32:
The recommended approach to address Sweet32 involves disabling cipher suites that contain elements vulnerable to compromise. This can be achieved through either local or Group Policy Object (GPO) settings.
Local and GPO Policy:
Local and Group Policy settings are mechanisms in Microsoft Windows that allow administrators to configure and enforce system-wide settings. In the context of Sweet32, these policies can be used to disable cipher suites on individual machines or across an entire network.
WMI Filter:
Windows Management Instrumentation (WMI) filters can be applied to GPOs to target specific operating system versions. This ensures that the appropriate policies are applied to different OS versions, considering the variations in cipher suites between them.
Registry Settings:
The article highlights that Microsoft does not recommend disabling ciphers, hashes, or protocols with registry settings, as these changes could be reset or removed by updates. This emphasizes the importance of using Group Policy for a more robust and persistent configuration.
Cipher Suites Selection:
The preferred method involves selecting a set of cipher suites supporting the required TLS version while excluding those with weak or compromised elements like RC4, DES, MD5, EXPORT, NULL, and RC2.
Example for Windows Server 2019 and Windows 10, version 1809:
The article provides a practical example for Windows Server 2019 and Windows 10, version 1809. It demonstrates selecting cipher suites that support TLS 1.2, SCH_USE_STRONG_CRYPTO, and exclude those with marginal to bad elements. The resulting list includes suites like TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, ensuring strong cryptographic elements and Perfect Forward Secrecy (PFS).
Conclusion:
By adopting this meticulous approach to cipher suite selection and policy enforcement, administrators can enhance security without resorting to disabling entire TLS versions or essential cryptographic elements. This method ensures a robust defense against the Sweet32 vulnerability while maintaining compatibility and optimal security configurations across different Windows OS versions.
On the Management Server, go to Local Group Policy Editor > Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options > Network security: Configure encryption types allowed for Kerberos > Disable RC4.
Disable RC4/DES/3DES cipher suites in Windows using registry, Group Policy Object (GPO), or local security settings.
You can do this using GPO or Local security policy under Computer configuration > Administrative Templates > Network > SSL Configuration Settings > SSL Cipher Suite Order.
To disable RC4 and 3DES, In the Command Prompt, type regedit and press Enter, remove HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002, and then restart the server.
Disabling 3DES/DES TLS Cipher by using Group Policy
From the Group Policy Management Console, go to Computer Configuration > Administrative Templates > Network > SSL Configuration Settings. 2. If you have not enabled it previously then double-click SSL Cipher Suite Order, and then click the Enabled option.
In this manner, any server or client that is talking to a client or server that must use RC4 can prevent a connection from occurring. Clients that deploy this setting will be unable to connect to sites that require RC4, and servers that deploy this setting will be unable to service clients that must use RC4.
Normally to disable weak ciphers on a Windows server you just run IISCrypto and disable the protocols that you don't want. Reboot the machine and they are no longer available.
Luckily, detecting Kerberos tickets that are encrypted using RC4 can also be achieved without expensive SIEM implementations. Simply trawling through the logs on your Domain Controllers with Windows PowerShell uncovers this usage.
The Disable-TlsCipherSuite cmdlet disables a cipher suite. This cmdlet removes the cipher suite from the list of Transport Layer Security (TLS) protocol cipher suites for the computer.
TLS_RSA_WITH_3DES_EDE_CBC_SHA is a remnant of the SSL 2.0 and SSL 3.0 era. 3DES in TLS is vulnerable to the Sweet32 [ https://sweet32.info/ ] attack. Being a CBC cipher suite, it is also vulnerable to the Lucky Thirteen [ https://en.wikipedia.org/wiki/Lucky_Thirteen_attack ] attack.
There is consensus across the industry that the RC4 cipher is no longer cryptographically secure, and therefore RC4 support is being removed with this update. With this change, Microsoft Edge and Internet Explorer 11 are aligned with the most recent versions of Google Chrome and Mozilla Firefox.
Issue. RC4 encryption has been deprecated and disabled by default in RHEL 8, as it is considered less secure than the newer AES-128 and AES-256 encryption types. In contrast, Active Directory (AD) user credentials and trusts between AD domains support RC4 encryption and they might not support AES encryption types.
According to manual pages shipped with the operating system, in the 2017 release of macOS and iOS operating systems, Apple replaced RC4 with AES in its implementation of arc4random.
We can disable 3DES and RC4 ciphers by removing them from registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002 and then restart the server.
You should also disable weak ciphers such as DES and RC4. DES can be broken in a few hours and RC4 has been found to be weaker than previously thought. In the past, RC4 was advised as a way to mitigate BEAST attacks.
In the Server Manager window, click on Local Server in the left side panel and wait for few minutes for the server status to get refreshed. The Remote Desktop option will be shown as Disabled in Windows 2019 version. Click on the Disabled option and this will open up the Remote tab in the System Properties window.
Details. Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network access: Let Everyone permissions apply to anonymous users" to "Disabled".
Please carefully edit the registry, because any mistake may make your system crash. -Double-click on the UninstallString value, and copy its Value Data. -Hold Windows and R keys to open the Run command, paste the Value Data in the box and click OK. Follow the wizard to uninstall cURL.
Select Start, point to Administrative Tools, and then select Server Manager. Under Roles Summary, select Active Directory Certificate Services. Under Roles Services, select Remove Role Services. Select to clear the Certification Authority check box, and then select Next.
Address: Suite 228 919 Deana Ford, Lake Meridithberg, NE 60017-4257
Phone: +2613987384138
Job: Chief Retail Officer
Hobby: Tai chi, Dowsing, Poi, Letterboxing, Watching movies, Video gaming, Singing
Introduction: My name is Zonia Mosciski DO, I am a enchanting, joyous, lovely, successful, hilarious, tender, outstanding person who loves writing and wants to share my knowledge and understanding with you.
We notice you're using an ad blocker
Without advertising income, we can't keep making this site awesome for you.
