Hey everyone! I'm facing an issue with resetting the default cipher suites after making changes to the Group Policy Object (GPO) that controls the cipher suite order. It appears that when I remove certain servers from this GPO, they end up losing all their cipher suites, which crashes all communications, including RDP and SQL. I've tried setting it to 'not configured', but that doesn't seem to help. Does anyone have a solution or any suggestions? Thanks!
3 Answers
You might want to check out the IISCrypto tool from Nartac. It's pretty handy for managing cipher suites. Just a heads up though, since you've got 1500 servers, it'll make things a bit more challenging. Still, it's worth a look!
I’ve got our system cipher settings configured using GPO registry keys. While you’ll need to set them up from scratch, I believe the IISCrypto tool also has a CLI option that you could leverage for managing multiple systems remotely. That could save you some time!
If you're looking for the specifics, all the Cipher/SChannel info can be found in the registry. You might want to pull the defaults from a clean server's registry under:
HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftCryptographyConfigurationSSL0010002 and check here too: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNEL. Just a tip though, be cautious when using default settings!
Thanks for the tip! I'll definitely check it out, but managing that many servers sounds daunting!