Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. Improving cipher security in Windows Server 2003 SP2

Improving cipher security in Windows Server 2003 SP2

View products that this article applies to.

Summary

This article describes how to add support for stronger Advanced Encryption Standard (AES) cipher suites in Windows Server 2003 Service Pack 2 (SP2) and how to disable weaker ciphers.

↑ Back to the top

More Information

Step 1: To add support for stronger AES cipher suites in Windows Server 2003 SP2, apply the update that is described in the following article in the Microsoft Knowledge Base:

948963 An update is available to add support for the TLS_RSA_WITH_AES_128_CBC_SHA AES128-SHA and TLS_RSA_WITH_AES_256_CBC_SHA AES256-SHA AES cipher suites in Windows Server 2003

Step 2: To disable weak ciphers (including EXPORT ciphers) in Windows Server 2003 SP2, follow these steps.

ImportantThis section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows


To edit these registry values, follow these steps:

  1. Click Start, click Run, type regedit in the Open box, and then click OK.
  2. Locate and then click the following subkey in the registry:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\
  3. On the Edit menu, point to New, and then click Key. Type the name of the key according to the following cipher names:

    DES 56/56
    NULL
    RC2 40/128
    RC2 56/128
    RC2 56/56
    RC4 40/128
    RC4 56/128
    RC4 64/128
  4. On the Edit menu, point to New, and then click DWORD Value.
  5. Type Enabled for the name of the DWORD, and then press ENTER.
  6. Right-click Enabled, and then click Modify.
  7. In the Value data box, type 00000000, and then click OK.
  8. On the File menu, click Exit to quit Registry Editor.
Note Repeat these steps to disable each weak cipher.

In order of preference, the cipher suites that are available after you successfully follow these steps are as follows:
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_RC4_128_MD5
  • TLS_RSA_WITH_RC4_128_SHA
  • TLS_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA

↑ Back to the top

Keywords: kbexpertiseinter, kbsurveynew, kbhowto, kb

↑ Back to the top

Article Info
Article ID : 3050509
Revision : 1
Created on : 1/7/2017
Published on : 3/24/2015
Exists online : False
Views : 134