Windows: Disable DES and Triple DES (3DES)


a measure to protect your Windows System against Sweet32 attacks is to disable the DES and Triple DES.

To do this, add 2 Registry Keys to the SCHANNEL Section of the registry.

As registry file

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168]

or from command line

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168" /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168" /v Enabled /d 0 /t REG_DWORD /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168" /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168" /v Enabled /d 0 /t REG_DWORD /f


Advertisment to support

3 thoughts on “Windows: Disable DES and Triple DES (3DES)”

  1. :::::::: Disable TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 1024), 64-bit block cipher 3DES vulnerable to SWEET32 attack ::::::::
    ::: References
    :: Get OS version:

    :: OS Name to OS version:

    :: Windows command comparing

    :: Find OS version:
    for /f “tokens=4-7 delims=[.] ” %%i in (‘ver’) do (if %%i==Version (set v=%%j.%%k) else (set v=%%i.%%j))
    echo %v%

    :: Check if OS version is greater than or equal to “6.2” (Win2012 or up)
    if %v% GEQ 6.2 (reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168” /f & reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168” /v Enabled /d 0 /t REG_DWORD /f)

    :: Check if OS version is less than “6.2” (before Win2012)
    if %v% LSS 6.2 (reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168” /f & reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168” /v Enabled /d 0 /t REG_DWORD /f)

    reg query “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\
    ::::::::: End of disabling 3DES cipher :::::::::

    1. Hi Darren,
      If we create Triple DES 168/168 on server versions below 6.2 i.e. server 2008 R2 and below we might runs with RDP issues. Kindly check:

      Kindly clarify my query.

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.