Skip to content

Latest commit

 

History

History
73 lines (50 loc) · 5.85 KB

windows-server-2016.md

File metadata and controls

73 lines (50 loc) · 5.85 KB

Default enabled cipher suite order

Recommended cipher suite order

Cipher suite string Allowed by SCH_USE_STRONG_CRYPTO TLS/SSL Protocol versions
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 Yes TLS 1.2
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 Yes TLS 1.2
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 Yes TLS 1.2
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 Yes TLS 1.2
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 Yes TLS 1.2
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 Yes TLS 1.2
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 Yes TLS 1.2
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 Yes TLS 1.2
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 Yes TLS 1.2
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 Yes TLS 1.2
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA Yes TLS 1.2, TLS 1.1, TLS 1.0
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA Yes TLS 1.2, TLS 1.1, TLS 1.0
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA Yes TLS 1.2, TLS 1.1, TLS 1.0
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Yes TLS 1.2, TLS 1.1, TLS 1.0
TLS_DHE_RSA_WITH_AES_256_CBC_SHA Yes TLS 1.2, TLS 1.1, TLS 1.0
TLS_DHE_RSA_WITH_AES_128_CBC_SHA Yes TLS 1.2, TLS 1.1, TLS 1.0
TLS_RSA_WITH_AES_256_GCM_SHA384 Yes TLS 1.2
TLS_RSA_WITH_AES_128_GCM_SHA256 Yes TLS 1.2
TLS_RSA_WITH_AES_256_CBC_SHA256 Yes TLS 1.2
TLS_RSA_WITH_AES_128_CBC_SHA256 Yes TLS 1.2
TLS_RSA_WITH_AES_256_CBC_SHA Yes TLS 1.2, TLS 1.1, TLS 1.0
TLS_RSA_WITH_AES_128_CBC_SHA Yes TLS 1.2, TLS 1.1, TLS 1.0
TLS_RSA_WITH_3DES_EDE_CBC_SHA Yes TLS 1.2, TLS 1.1, TLS 1.0
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 Yes TLS 1.2
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 Yes TLS 1.2
TLS_DHE_DSS_WITH_AES_256_CBC_SHA Yes TLS 1.2, TLS 1.1, TLS 1.0
TLS_DHE_DSS_WITH_AES_128_CBC_SHA Yes TLS 1.2, TLS 1.1, TLS 1.0
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA Yes TLS 1.2, TLS 1.1, TLS 1.0, SSL 3.0
TLS_RSA_WITH_RC4_128_SHA No TLS 1.2, TLS 1.1, TLS 1.0, SSL 3.0
TLS_RSA_WITH_RC4_128_MD5 No TLS 1.2, TLS 1.1, TLS 1.0, SSL 3.0

Configuring Strong Ciphers

Method 1: Using GPO

Computer Configuration\Administrative Templates\Network\SSL Configuration Settings\SSL Cipher Suite Order


TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256

Method 2: Using Registry Editor

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002

References