Here, I have explained about the Cipher Suites, recommended cipher suites, and the how-to apply only recommended cipher suites that have a set of strong algorithms and no known security vulnerabilities in Windows Server.
What is Cipher Suite?
A cipher suite is a set of cryptographic encryption algorithms which provide the secure, encrypted connection over Transport Layer Secure (TLS)/ Secure Socket Layer (SSL).
Cipher suite which contains set of algorithms each for below task,
- Key Exchange
- Bulk Encryption
- Message authentication
There are more sets of encryption algorithms available but only recommended a few strong algorithms, Others have security vulnerabilities or use a weak encryption algorithm.
There are more cipher suite options available in the Windows server, so all the HTTPS requests will be served with different cipher suites supported by Windows Server in the priority order. So there will be a chance to serve strong cipher suite as well as the weak cipher suite.
These cipher suites each use a different set of algorithms which may be either strong or weak. Weak cipher suites are very vulnerable and less secure, and it’s not recommended to use these weak cipher suites. Some older cipher suites are used a weak set of algorithms.
DHE – STRONG
RSA – NORMAL
DES – WEAK
ADH – WEAK
NULL – WEAK
RC4 – WEAK
3DES – WEAK
You can check the Cipher Suites used by your server using the SSL Test, and provide the domain name you have hosted with your Server.
Recommended Cipher Suites which uses strong set of algorithms
Recommended Key Exchange:
Recommended Bulk Encryption:
- AES 128 GCM
- AES 256 GCM
Recommended Message Authentication:
- SHA 256
- SHA 384
Hence, you should update the recommended/strong cipher suites in your Server. I have explained the steps to update the Cipher suites in Windows Server.
How to update Cipher Suites in Window Server?
Step 1: Open Group Policy Editor window by, Run -> enter the command “gpedit.msc”
Step 2: Navigate to SSL Cipher Suite Order by following the below path,
Computer Configuration – > Administrative Templates – > Network -> SSL Configuration Settings – > SSL Cipher Suite Order
Step 3: By default, SSL Cipher Suite Order is set as “Not Configured “. Double click on it to edit the state. You will get the dialog like below.
Step 4: Change the state as “Enabled”, so you will be allowed to edit the SSL Cipher Suites options text box.
Step 5: You simply select all cipher suites texts in that text box, then copy and paste to any text editor, so you all see all the available cipher options used by your Windows Server.
Note: Each Cipher Suites are separated by a comma.
Example: CipherSuite1,CipherSuite2,CipherSuite3, …… CipherSuiteN
Step 6: Now you should update the existing Cipher Suites with recommended Cipher suites. Form the recommended Cipher suites in below comma-separated format.
Note: Take a back of exiting Cipher suites option before editing it, to avoid any unpleasant situation.
Step 7: Update the recommended Cipher suites in the text box then Apply and Ok.
Step 8: Need to restart the Server to reflect this setting.
You can check the updated Cipher Suites which used by your server using the SSL Test
Note: Make sure restarting the server will cause server downtime, you should make planned downtime at right non-business hours.