I really like Nartac Software's IIS Crypto tool for configuring protocols, ciphers, hashes and key exchange algorithms on Windows. However, since the tool simply makes changes to the local machine's registry it still requires a bit of work if you want to roll out these changes to multiple machines. Sure, you could use IIS Crypto on a single machine, export the registry keys, then import them via a startup script GPO, but I wanted a more Group Policy-integrated way to enable or disable things. So I created an administrative template for Group Policy to do just that.
Note: I no longer maintain Windows servers for my job, so this may be out of date. If you notice something that needs to be updated, please submit an issue or a pull request!
This template simply twiddles values under the registry key
HKLM\CurrentControlSet\Control\SecurityProviders\Schannel
.
Note that since that key does not reside under the Policies key, using this template will "tattoo" the settings onto the registry. In other words, removing the policy will not revert these settings to their previous values.
From MSDN's Managing Group Policy ADMX Files Step-by-Step Guide, there are two ways to install custom administrative templates.
- Copy the language-neutral ADMX file(s) to
%SYSTEMROOT%\PolicyDefinitions
. - Copy the language-specific ADML file(s) to
%SYSTEMROOT%\PolicyDefinitions\[MUIculture]
(for example, the U.S. English ADMX language specific file will be stored in%SYSTEMROOT%\policyDefinitions\en-us
.)
You will then be able to use the template on your local workstation to create and edit local or domain policies, but the template will not be available to other administrators. A better option is to install the template files in the domain's central store.
To make the template available automatically to all Group Policy administrators in a domain, perform the following on a domain controller:
- Copy the language-neutral ADMX file(s) to
%SYSTEMROOT%\sysvol\domain\policies\PolicyDefinitions
. - Copy the language-specific ADML file(s) to
%SYSTEMROOT%\sysvol\domain\policies\PolicyDefinitions\[MUIculture]
(for example, the U.S. English ADMX language specific file will be stored in%SYSTEMROOT%\sysvol\domain\policies\PolicyDefinitions\en-us
.)
The new policy settings are located in the same place one would normally configure the SSL Cipher Suite order; namely:
Computer Configuration/Administrative Templates/Network/SSL Configuration
Screenshot:
Any of the following ciphers, hash algorithms, or key exchange algorithms can be enabled or disabled globally. The protocols can be independently configured for both client and server use. Note that changes to the ciphers and hashes (and presumably, to the key exchange algorithms) will take effect immediately when the group policy is applied. Changes to protocols require a restart of the computer.
- NULL
- DES 56/56
- RC2 40/128
- RC2 56/128
- RC2 128/128
- RC4 40/128
- RC4 56/128
- RC4 64/128
- RC4 128/128
- Triple DES 168
Setting the cipher suite order (the second half of IIS Crypto) for Windows involves configuring a Microsoft-delivered group policy setting. See Prioritizing Schannel Cipher Suites for more information. (Note this line on that page, however: "The list of cipher suites is limited to 1023 characters." So you can't go nuts with this GPO like you can if you set the registry key outright, but the GPO is certainly easier to deploy.) There are a few ways you can build your cipher suite list.
- Use IIS Crypto as a guide. Start the tool, click the "Best Practices" button, and copy down what it gives you.
- Use Steve Gibson's list. Just copy that list, remove the line breaks, and paste it into the GPO setting.
- Roll your own.
Once you've got your list, add it to your GPO and roll it out!
- SSL Labs' SSL/TLS Deployment Best Practices
- TLS Cipher Suites in Windows Server 2003 and XP
- SSL Cipher Suites in Windows Server 2003 and XP
- Schannel Cipher Suites in Windows Server 2008 and Vista
- Schannel Cipher Suites in Windows Server 2008 R2 and above
- How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll
- Managing Group Policy ADMX Files Step-by-Step Guide
- Transport Layer Security (TLS) registry settings