How to update strong Cipher Suites in Windows server?

Here, I have explained about the Cipher Suites, recommended cipher suites and the how to apply only recommended cipher suites which has set of strong algorithm and no known security vulnerabilities in Windows Server.

What is Cipher Suite?

Cipher suite is a set of cryptographic encryption algorithms which provide the secure, encrypted connection over Transport Layer Secure (TLS)/ Secure Socket Layer (SSL).

Cipher suite which contains set of algorithms each for below task,

  1. Key Exchange
  2. Bulk Encryption
  3. Message authentication

There are more set of encryption algorithm available, but only recommended few strong algorithms, Others have security vulnerability or using weak encryption algorithm.

There are more cipher suite options available in Windows server, so all the HTTPS requests will be served with different cipher suite which supported by Windows Server in the priority order. So there will be a chance to serve strong cipher suite as well as weak cipher suite.

These cipher suites each uses different set of algorithms which may be either strong or weak. Weak cipher suites are very vulnerable and less secure, and it’s not recommended to use these weak cipher suites. Some older cipher suites are used weak set of algorithms.

Example:

EDCH –STRONG
DHE – STRONG
RSA – NORMAL
DES – WEAK
ADH – WEAK
NULL – WEAK
RC4 – WEAK
3DES – WEAK

You can check the Cipher Suites which used by you server using the SSL Test, and provide the domain name you have hosted with your Server.

https://www.ssllabs.com/ssltest/

Recommended Cipher Suites which uses strong set of algorithms

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

Recommended Key Exchange:

  1. ECDHE
  2. DHE

Recommended Signature:

  1. ECDSA
  2. RSA

Recommended Bulk Encryption:

  1. AES 128 GCM
  2. AES 256 GCM

Recommended Message Authentication:

  1. SHA 256
  2. SHA 384

Hence, you should update the recommended/strong cipher suites in your Server. I have explained the steps to update the Cipher suites in Windows Server.

How to update Cipher Suites in Window Server?

Step 1: Open Group Policy Editor window by, Run -> enter the command “gpedit.msc”

Step 2:  Navigate to SSL Cipher Suite Order by following the below path,

Computer Configuration – > Administrative Templates – > Network -> SSL Configuration Settings – > SSL Cipher Suite Order

Step 3: By default, SSL Cipher Suite Order is set as “Not Configured “. Double click on it to edit the state. You will get the dialog like below.

Step 4:  Change the state as “Enabled”, so you will be allowed to edit the SSL Cipher Suites options text box.

Step 5: You simply select all cipher suites texts which in the that text box, then copy and paste to any text editor, so you all see all the available cipher option which used by your Windows Server.

Note: Each Cipher Suites are separated by comma.

Example:  CipherSuite1,CipherSuite2,CipherSuite3, …… CipherSuiteN

Step 6:  Now you should update the existing Cipher Suites with recommended Cipher suites. Form the recommended Cipher suites in below comma separated format.

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

Note: Take a back of exiting Cipher suites option before editing it, to avoid any unpleasant situation.

Step 7: Update the recommended Cipher suites in text box then Apply and Ok.

Step 8: Need to restart the Server to reflect this setting.

You can check the updated Cipher Suites which used by you server using the SSL Test

https://www.ssllabs.com/ssltest/

Note: Make sure restarting the server will cause server downtime, you should make planned downtime at right non business hours.

Advertisements

Leave a Reply