3 thoughts on “Windows: Disable DES and Triple DES (3DES)”

1. :::::::: Disable TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 1024), 64-bit block cipher 3DES vulnerable to SWEET32 attack ::::::::
   ::: References
   :: Get OS version:
   :: stackoverflow.com/questions/13212033/get-windows-version-in-a-batch-file

   :: OS Name to OS version:
   :: msdn.microsoft.com/en-us/library/windows/desktop/ms724832(v=vs.85).aspx

   :: Windows command comparing
   :: stackoverflow.com/questions/9278614/if-greater-than-batch-files

   :: Find OS version:
   for /f “tokens=4-7 delims=[.] ” %%i in (‘ver’) do (if %%i==Version (set v=%%j.%%k) else (set v=%%i.%%j))
   echo %v%

   :: Check if OS version is greater than or equal to “6.2” (Win2012 or up)
   if %v% GEQ 6.2 (reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168” /f & reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168” /v Enabled /d 0 /t REG_DWORD /f)

   :: Check if OS version is less than “6.2” (before Win2012)
   if %v% LSS 6.2 (reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168” /f & reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168” /v Enabled /d 0 /t REG_DWORD /f)

   reg query “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\
   ::::::::: End of disabling 3DES cipher :::::::::

   Reply

   1. Hi Darren,
      If we create Triple DES 168/168 on server versions below 6.2 i.e. server 2008 R2 and below we might runs with RDP issues. Kindly check: social.technet.microsoft.com/Forums/ie/en-US/7a143f27-da47-4d3c-9eb2-6736f8896129/disabling-3des-breaks-rdp-to-server-2008-r2?forum=winRDc.

      Kindly clarify my query.

      Reply

      1. Hi Pankaj,

         any Details? Error Messages?

         Michael

         Reply