How to update strong Cipher Suites in Windows server?

How to update strong Cipher Suites in Windows server?

Here, I have explained about the Cipher Suites, recommended cipher suites, and the how-to apply only recommended cipher suites that have a set of strong algorithms and no known security vulnerabilities in Windows Server.

What is Cipher Suite?

A cipher suite is a set of cryptographic encryption algorithms which provide the secure, encrypted connection over Transport Layer Secure (TLS)/ Secure Socket Layer (SSL).

Cipher suite which contains set of algorithms each for below task,

  1. Key Exchange
  2. Bulk Encryption
  3. Message authentication

There are more sets of encryption algorithms available but only recommended a few strong algorithms, Others have security vulnerabilities or use a weak encryption algorithm.

There are more cipher suite options available in the Windows server, so all the HTTPS requests will be served with different cipher suites supported by Windows Server in the priority order. So there will be a chance to serve strong cipher suite as well as the weak cipher suite.

These cipher suites each use a different set of algorithms which may be either strong or weak. Weak cipher suites are very vulnerable and less secure, and it’s not recommended to use these weak cipher suites. Some older cipher suites are used a weak set of algorithms.

Example:

EDCH –STRONG
DHE – STRONG
RSA – NORMAL
DES – WEAK
ADH – WEAK
NULL – WEAK
RC4 – WEAK
3DES – WEAK

You can check the Cipher Suites used by your server using the SSL Test, and provide the domain name you have hosted with your Server.

https://www.ssllabs.com/ssltest/

Recommended Cipher Suites which uses strong set of algorithms

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

Recommended Key Exchange:

  1. ECDHE
  2. DHE

Recommended Signature:

  1. ECDSA
  2. RSA

Recommended Bulk Encryption:

  1. AES 128 GCM
  2. AES 256 GCM

Recommended Message Authentication:

  1. SHA 256
  2. SHA 384

Hence, you should update the recommended/strong cipher suites in your Server. I have explained the steps to update the Cipher suites in Windows Server.

How to update Cipher Suites in Window Server?

Step 1: Open Group Policy Editor window by, Run -> enter the command “gpedit.msc”

Step 2:  Navigate to SSL Cipher Suite Order by following the below path,

Computer Configuration – > Administrative Templates – > Network -> SSL Configuration Settings – > SSL Cipher Suite Order

Step 3: By default, SSL Cipher Suite Order is set as “Not Configured “. Double click on it to edit the state. You will get the dialog like below.

Step 4:  Change the state as “Enabled”, so you will be allowed to edit the SSL Cipher Suites options text box.

Step 5: You simply select all cipher suites texts in that text box, then copy and paste to any text editor, so you all see all the available cipher options used by your Windows Server.

Note: Each Cipher Suites are separated by a comma.

Example:  CipherSuite1,CipherSuite2,CipherSuite3, …… CipherSuiteN

Step 6:  Now you should update the existing Cipher Suites with recommended Cipher suites. Form the recommended Cipher suites in below comma-separated format.

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

Note: Take a back of exiting Cipher suites option before editing it, to avoid any unpleasant situation.

Step 7: Update the recommended Cipher suites in the text box then Apply and Ok.

Step 8: Need to restart the Server to reflect this setting.

You can check the updated Cipher Suites which used by your server using the SSL Test

https://www.ssllabs.com/ssltest/

Note: Make sure restarting the server will cause server downtime, you should make planned downtime at right non-business hours.

He is a product manager at a reputed software company and a freelance blog writer. He is experienced in different technologies, web securities, and web applications. He keeps learning and make himself up to date on the latest technologies, news, health, and fitness. This encouraged him to share his experiences by writing articles.

One thought on “How to update strong Cipher Suites in Windows server?

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top
%d bloggers like this: