Currently SSL Labs suggests that the SSL RC4 ciphers are weak, and that to still mitigate the BEAST attack in older clients, TLS 1.0 can be turned off.

I have read threads that state that MS SQL server had issues when SSL 3.0 and TLS 1.0 were turned off, and also that turning off TLS 1.0 would break Remote Desktop (which this thread seems to state requires TLS 1.0 and RC4 ciphers:  https://msdn.microsoft.com/en-us/library/aa383015%28v=vs.85%29.aspx ) 

Also see: 

• https://technet.microsoft.com/en-us/magazine/ff458357.aspx and
• https://social.technet.microsoft.com/Forums/en-US/e2b22dad-bb0c-4059-beec-6673783ab777/remote-desktop-stopped-working-after-disabling-ssl-20-and-tls-10

Is there a way to have a Windows Server 2012, which is fully patched, rely on a greater TLS versions than 1.0 and the GCM (or another) cipher for Remote Desktop?  Same question also for MS SQL?

If the answer is that TLS 1.0 and RC4 must be turned on for Network Layer Authentication in Remote Desktop Services, can you propose a best practice cipher order that would score fairly high on ssl labs?

Can SSL3.0 and TLS 1.0 be turned off, and still have MS SQL 2012 start (not configured to use SSL connections/sql ssl certificate)?

Thank you for any input you are able to give.

Hi,

Here are some references below for you:

SSL Cipher Suite Order best practice

https://social.technet.microsoft.com/Forums/windowsserver/en-US/5e17d836-39f7-4246-a382-b073d1130079/ssl-cipher-suite-order-best-practice?forum=winserversecurity

How TLS/SSL Works
https://technet.microsoft.com/en-us/library/cc783349(v=WS.10).aspx

Regarding this: Can SSL3.0 and TLS 1.0 be turned off, and still have MS SQL 2012 start

I would suggest you refer to SQL forum to get professional support:

https://social.technet.microsoft.com/Forums/sqlserver/en-US/home

Best Regards,

Amy

Hello,

we are asked to disable RC4:

Port: ms-wbt-server (3389/tcp)

SSL RC4 Cipher Suites Supported

Synopsis:

The remote service supports the use of the RC4 cipher.

Description:

The remote host supports the use of RC4 in one or more cipher suites.
The RC4 cipher is flawed in its generation of a pseudo-random stream
of bytes so that a wide variety of small biases are introduced into
the stream, decreasing its randomness.

If plaintext is repeatedly encrypted (e.g., HTTP cookies), and an
attacker is able to obtain many (i.e., tens of millions) ciphertexts,
the attacker may be able to derive the plaintext.

See also:
http://www.nessus.org/u?217a3666
http://cr.yp.to/talks/2013.03.12/slides.pdf
http://www.isg.rhul.ac.uk/tls/
http://www.imperva.com/docs/HII_Attacking_SSL_when_using_RC4.pdf


Solution:

Reconfigure the affected application, if possible, to avoid use of RC4
ciphers. Consider using TLS 1.2 with AES-GCM suites subject to browser
and web server support.

Plugin Output:

List of RC4 cipher suites supported by the remote server:

High Strength Ciphers (>= 112-bit key)

TLSv1
RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1

The fields above are:

{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}



CVE:
CVE-2013-2566
CVE-2015-2808


BID:
58796
73684

But we don't have any instruction, how to do that is it enough to define in the registry

• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
  "Enabled"=dword:00000000
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
  "Enabled"=dword:00000000
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
  "Enabled"=dword:00000000
  
  Or how can we solve this issue ?

Hi,

Since this thread has been quiet for a few months, and this is a new question, I would suggest you start a new thread to get more efficient support from the forum community.

Best Regards,

Amy