333

313  38601SSL/TLS use of weak RC4 cipher -- not sure how to FIX the problem.  It doesn't seem like a MS patch will solve this.

• Windows 2012 R2 Reg settings applied (for a Windows 2008 R2 system)  and this problem is no longer seen by the GVM scanner BUT, THESE REGISTRY SETTINGS DO NOT APPLY TO WINDOWS 2012 R2. 

Does this update apply to Windows 8.1, Windows Server 2012 R2, or Windows RT 8.1?  
No. This update does not apply to Windows 8.1, Windows Server 2012 R2, or Windows RT 8.1 because these operating systems already include the functionality to restrict the use of RC4.

https://technet.microsoft.com/en-us/library/security/2868725.aspx

So, how to you disable RC4 on Windows 2012 R2?????  Anyone know?

Can you try using IISCrypto tool?

https://www.nartac.com/Products/IISCrypto/

-Umesh.S.K

Thank you for the response. However, I can not install third party tools in my OS build environment. At work, we are very careful about introducing internet tools on our network.

Does this update apply to Windows 8.1, Windows Server 2012 R2, or Windows RT 8.1?  
No. This update does not apply to Windows 8.1, Windows Server 2012 R2, or Windows RT 8.1 because these operating systems already include the functionality to restrict the use of RC4.

If these operating system already include the functionaility to restrict the use of RC4, how do you do it??

Should I apply https://support.microsoft.com/en-us/kb/2868725 these registry settings for Windows 2008 R2?  If so, why does MS have this above note?  That the OS already includes the functionailioty to restrict RC4?

Clients and servers that do not want to use RC4 regardless of the other partys supported ciphers can disable RC4 cipher suites completely by setting the following registry keys. In this manner, any server or client that is talking to a client or server that must use RC4 can prevent a connection from occurring. Clients that deploy this setting will be unable to connect to sites that require RC4, and servers that deploy this setting will be unable to service clients that must use RC4. 

• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
  "Enabled"=dword:00000000
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
  "Enabled"=dword:00000000
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
  "Enabled"=dword:00000000

• Proposed as answer by Steven_Lee0510Microsoft contingent staff, Moderator 20 minutes ago
• Unproposed as answer by Steven_Lee0510Microsoft contingent staff, Moderator a few seconds ago

Hi,

Please create below RC4 folders in the registry path shown below. Set Enabled = 0.

-Umesh.S.K

• Edited by Umesh S K Saturday, July 25, 2015 1:10 PM
• Proposed as answer by Steven_Lee0510Microsoft contingent staff, Moderator 20 minutes ago

333

313  38601SSL/TLS use of weak RC4 cipher -- not sure how to FIX the problem.  It doesn't seem like a MS patch will solve this.

• Windows 2012 R2 Reg settings applied (for a Windows 2008 R2 system)  and this problem is no longer seen by the GVM scanner BUT, THESE REGISTRY SETTINGS DO NOT APPLY TO WINDOWS 2012 R2. 

Does this update apply to Windows 8.1, Windows Server 2012 R2, or Windows RT 8.1?  
No. This update does not apply to Windows 8.1, Windows Server 2012 R2, or Windows RT 8.1 because these operating systems already include the functionality to restrict the use of RC4.

https://technet.microsoft.com/en-us/library/security/2868725.aspx

So, how to you disable RC4 on Windows 2012 R2?????  Anyone know?

For security-specific questions like this, I recommend the dedicated security forum:
https://social.technet.microsoft.com/Forums/en-US/home?forum=winserversecurity

This topic (Disabling RC4) is discussed several times there.

Also, note that Advisory 2868725 and KB 2868725 both explain that the ability to restrict/disable RC4, is different from actively/actually restricting/disabling RC4. More information here: https://support.microsoft.com/en-au/kb/245030

First, apply the update if you have an older OS (WS2012R2 already includes the ability).
Second, apply the relevant registry keys, to all OS versions, to actively/actually disable RC4.
If you only apply the update (to an older OS), or, you already have WS2012R2, this does not disable RC4 - you must have both the necessary binary files *AND* also set the registry keys.

So, to answer your question : "how to you disable RC4 on Windows 2012 R2?" - the answer is: set the relevant registry keys.

Hi,

Please follow the link below to restrict the RC4 ciphers:

https://support.microsoft.com/en-us/kb/245030

I tested it in my Windows Server 2012R2, it works for me.

Best Regards.