I'm looking for a straightforward script to disable 3DES and RC4 ciphers due to the SWEET32 vulnerability across 17 servers. I'd like to run this script manually on each server to ensure they are secure. Any guidance would be appreciated!
2 Answers
Another method is to use IISCrypto's command line interface. You could also utilize PowerShell commands like `Get-TlsCipherSuite` to manage your cipher suites. Here’s a quick way to check your current setups: `Get-TlsCipherSuite | Format-Table -AutoSize Name,Cipher,CipherLength,CipherSuite,KeyType,Certificate,Exchange,Hash`. After that, you can run `Disable-TlsCipherSuite -Name "YourCipherName"` to disable 3DES and RC4. If the remoting is enabled, you can do it across all 17 servers simultaneously.
To disable 3DES and RC4, you'll want to modify the registry keys found under HKLMSYSTEMCurrentControlSetControlSecurityProvidersSCHANNEL. A good approach is to use the IISCrypto tool on one server, configure it to disable those ciphers, and then export the registry key. You can then replicate this across your servers with New-Item and New-ItemProperty commands. Nartac provides a comprehensive list of the keys modified by IISCrypto on their FAQ page if you need more info.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures