Security, Windows

Windows: Disable DES and Triple DES (3DES)

3 Comments

Hi,

a measure to protect your Windows System against Sweet32 attacks is to disable the DES and Triple DES.

To do this, add 2 Registry Keys to the SCHANNEL Section of the registry.

As registry file

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168]
"Enabled"=dword:00000000

or from command line

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168" /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168" /v Enabled /d 0 /t REG_DWORD /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168" /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168" /v Enabled /d 0 /t REG_DWORD /f

Michael

3 thoughts on “Windows: Disable DES and Triple DES (3DES)”

  1. :::::::: Disable TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 1024), 64-bit block cipher 3DES vulnerable to SWEET32 attack ::::::::
    ::: References
    :: Get OS version:
    :: stackoverflow.com/questions/13212033/get-windows-version-in-a-batch-file

    :: OS Name to OS version:
    :: msdn.microsoft.com/en-us/library/windows/desktop/ms724832(v=vs.85).aspx

    :: Windows command comparing
    :: stackoverflow.com/questions/9278614/if-greater-than-batch-files

    :: Find OS version:
    for /f “tokens=4-7 delims=[.] ” %%i in (‘ver’) do (if %%i==Version (set v=%%j.%%k) else (set v=%%i.%%j))
    echo %v%

    :: Check if OS version is greater than or equal to “6.2” (Win2012 or up)
    if %v% GEQ 6.2 (reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168” /f & reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168” /v Enabled /d 0 /t REG_DWORD /f)

    :: Check if OS version is less than “6.2” (before Win2012)
    if %v% LSS 6.2 (reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168” /f & reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168” /v Enabled /d 0 /t REG_DWORD /f)

    reg query “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\
    ::::::::: End of disabling 3DES cipher :::::::::

    1. Hi Darren,
      If we create Triple DES 168/168 on server versions below 6.2 i.e. server 2008 R2 and below we might runs with RDP issues. Kindly check: social.technet.microsoft.com/Forums/ie/en-US/7a143f27-da47-4d3c-9eb2-6736f8896129/disabling-3des-breaks-rdp-to-server-2008-r2?forum=winRDc.

      Kindly clarify my query.

Leave a Reply