This article explains how to remove a weak Cipher Suite on a Windows Server 2019 system. There’s other ways such as Power Shell. This is just one way. Make a backup or snapshot first as mistakes could cause issues reconnecting. I organise a maintenance window, take a VM snapshot first, make the change, reboot and test, and then remove the snapshot.
Open Regedit and past the following path into the address bar:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cryptography\Configuration\Local\Default\00010002
You’ll see a key called “functions”. Open it to see it’s contents/value. Here’s an example. Note that I’ve used “…” to show that the list has been shortened. This is an example:
TLS_AES_256_GCM_SHA384 TLS_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ... TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_NULL_SHA256 TLS_RSA_WITH_NULL_SHA TLS_PSK_WITH_AES_256_GCM_SHA384 TLS_PSK_WITH_AES_128_GCM_SHA256 TLS_PSK_WITH_AES_256_CBC_SHA384 TLS_PSK_WITH_AES_128_CBC_SHA256 TLS_PSK_WITH_NULL_SHA384 TLS_PSK_WITH_NULL_SHA256
Go through the list and remove anything that looks weak or for specifically what your Vulnerability Scanner pointed out. Such as anything with “NULL” in it, or “RC4” or “DES” or “3DES”. Save the change and reboot the machine. You’re essentially telling Windows which Cipher Suites it accepts for connections.
TIP: If you forget the path in the future, just search for the cipher suite in “Computer\HKEY_LOCAL_MACHINE” of the registry. Eg “TLS_RSA_WITH_3DES_EDE_CBC_SHA”. You’ll quickly find the key.
