Categories
Device

How to update your windows server cipher suite for better security

Update Cipher Suite In Windows Server 2016

For Windows 10, version 1607 and Windows Server 2016, the following cipher suites are enabled and in this priority order by default using the Microsoft Schannel Provider:

Cipher suite string

Allowed by SCH_USE_STRONG_CRYPTO

TLS/SSL Protocol versions

TLS 1.2, TLS 1.1, TLS 1.0

TLS 1.2, TLS 1.1, TLS 1.0

TLS 1.2, TLS 1.1, TLS 1.0

TLS 1.2, TLS 1.1, TLS 1.0

TLS 1.2, TLS 1.1, TLS 1.0

TLS 1.2, TLS 1.1, TLS 1.0

TLS 1.2, TLS 1.1, TLS 1.0

TLS 1.2, TLS 1.1, TLS 1.0

TLS 1.2, TLS 1.1, TLS 1.0

TLS 1.2, TLS 1.1, TLS 1.0

TLS 1.2, TLS 1.1, TLS 1.0

TLS 1.2, TLS 1.1, TLS 1.0, SSL 3.0

TLS 1.2, TLS 1.1, TLS 1.0, SSL 3.0

TLS 1.2, TLS 1.1, TLS 1.0, SSL 3.0

TLS_RSA_WITH_NULL_SHA256
Only used when application explicitly requests.

TLS_RSA_WITH_NULL_SHA
Only used when application explicitly requests.

TLS 1.2, TLS 1.1, TLS 1.0, SSL 3.0

The following cipher suites are supported by the Microsoft Schannel Provider, but not enabled by default:

Cipher suite string

Allowed by SCH_USE_STRONG_CRYPTO

TLS/SSL Protocol versions

TLS 1.2, TLS 1.1, TLS 1.0, SSL 3.0

TLS 1.2, TLS 1.1, TLS 1.0, SSL 3.0

TLS 1.2, TLS 1.1, TLS 1.0, SSL 3.0

TLS 1.2, TLS 1.1, TLS 1.0, SSL 3.0

TLS_RSA_WITH_NULL_MD5
Only used when application explicitly requests.

TLS 1.2, TLS 1.1, TLS 1.0, SSL 3.0

TLS 1.2, TLS 1.1, TLS 1.0, SSL 3.0

TLS 1.2, TLS 1.1, TLS 1.0, SSL 3.0

Beginning in Windows 10, version 1607 and Windows Server 2016, the following PSK cipher suites are enabled and in this priority order by default using the Microsoft Schannel Provider:

Cipher suite string

Allowed by SCH_USE_STRONG_CRYPTO

TLS/SSL Protocol versions

No PSK cipher suites are enabled by default. Applications need to request PSK using SCH_USE_PRESHAREDKEY_ONLY. For more information on Schannel flags

To add cipher suites, either deploy a group policy or use the TLS cmdlets:

· To use group policy, configure SSL Cipher Suite Order under Computer Configuration > Administrative Templates > Network > SSL Configuration Settings with the priority list for all cipher suites you want enabled.

Update Your Cipher Suite

We’ve covered the background, now let’s get our hands dirty. Updating the suite of options your Windows server provides isn’t necessarily straightforward, but it definitely isn’t hard either.

To start, press Windows Key + R to bring up the “Run” dialogue box. Type “gpedit.msc” and click “OK” to launch the Group Policy Editor. This is where we’ll make our changes.

On the left hand side, expand Computer Configuration, Administrative Templates, Network, and then click on SSL Configuration Settings.

On the right hand side, double click on SSL Cipher Suite Order.

By default, the “Not Configured” button is selected. Click on the “Enabled” button to edit your server’s Cipher Suites.

The SSL Cipher Suites field will fill with text once you click the button. If you want to see what Cipher Suites your server is currently offering, copy the text from the SSL Cipher Suites field and paste it into Notepad. The text will be in one long, unbroken string. Each of the encryption options is separated by a comma. Putting each option on its own line will make the list easier to read.

Before implementing the below ciphers confirm that your applications will not get effected from this.

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256

Summary

Microsoft has released a Microsoft security advisory about this issue for IT professionals. The security advisory contains additional security-related information. To learn more about the vulnerability, see
https://technet.microsoft.com/security/advisory/3155527.

More Information

All future security and nonsecurity updates for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 require update 2919355 to be installed. We recommend that you install update 2919355 on your Windows RT 8.1-based, Windows 8.1-based, or Windows Server 2012 R2-based computer so that you receive future updates.

If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see Add language packs to Windows.

Additional information about this security update

The following articles contain additional information about this security update as it relates to individual product versions. The articles may contain known issue information.

3151058 Description of the security update for Schannel: April 12, 2016

3156387Cumulative update for Windows 10: April 12, 2016

3156421Cumulative update for Windows 10 Version 1511 and Windows Server 2016 Technical Preview 4: April 12, 2016

How to obtain and install the update

Method 1: Windows Update

This update is available through Windows Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to turn on automatic updating, see
Get security updates automatically.

Note For Windows RT 8.1, this update is available through Windows Update only.

The following files are available for download from the Microsoft Download Center.

For all supported x64-based versions of Windows Server 2012 Download the package now.

For all supported x86-based versions of Windows 8.1 Download the package now.

For all supported x64-based versions of Windows 8.1 Download the package now.

For all supported x64-based versions of Windows Server 2012 R2 Download the package now.

Release Date: May 10, 2016

For more information about how to download Microsoft support files, click the following article number to go to the article in the Microsoft Knowledge Base:

119591 How to obtain Microsoft support files from online services

Microsoft scanned this file for viruses by using the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to it.

Windows 8.1 (all editions)Reference Table

The following table contains the security update information for this software.

Security update file name

For all supported 32-bit editions of Windows 8.1:
Windows8.1-KB3151058-x86.msu

For all supported x64-based editions of Windows 8.1:
Windows8.1-KB3151058-x64.msu

A system restart is required after you apply this security update.

To uninstall an update installed by WUSA, use the /Uninstall setup switch or click Control Panel, click System and Security, click Windows Update, and then under See also, click Installed updates and select from the list of updates.

Registry key verification

Note A registry key does not exist to validate the presence of this update.

Windows Server 2012 and Windows Server 2012 R2 (all editions)Reference Table

The following table contains the security update information for this software.

Security update file name

For all supported editions of Windows Server 2012:
Windows8-RT-KB3151058-x64.msu

For all supported editions of Windows Server 2012 R2:
Windows8.1-KB3151058-x64.msu

A system restart is required after you apply this security update.

To uninstall an update installed by WUSA, use the /Uninstall setup switch or click Control Panel, click System and Security, click Windows Update, and then under See also, click Installed updates and select from the list of updates.

Registry key verification

Note A registry key does not exist to validate the presence of this update.

Windows RT 8.1 (all editions)Reference Table

The following table contains the security update information for this software.

These updates are available via Windows Update only.

A system restart is required after you apply this security update.

Click Control Panel, click System and Security, click Windows Update, and then under See also, click Installed updates and select from the list of updates.

Windows 10 (all editions)Reference Table

The following table contains the security update information for this software.

Security update file name

For all supported 32-bit editions of Windows 10:
Windows10.0-KB3156387-x86.msu

For all supported x64-based editions of Windows 10:
Windows10.0-KB3156387-x64.msu

For all supported 32-bit editions of Windows 10 Version 1511:
Windows10.0-KB3156421-x86.msu

For all supported x64-based editions of Windows 10 Version 1511:
Windows10.0-KB3156421-x64.msu

A system restart is required after you apply this security update.

To uninstall an update installed by WUSA, use the /Uninstall setup switch or click Control Panel, click System and Security, click Windows Update, and then under See also, click Installed updates and select from the list of updates.

Registry key verification

Note A registry key does not exist to validate the presence of this update.

Help for protecting your Windows-based computer from viruses and malware: Virus Solution and Security Center

Local support according to your country: International Support

Windows Server 2012 R2 TLS 1.2 Cipher Suites

Hello – I have a .Net application that accesses an external website to retrieve data. The external website removed TLS 1.1 support and only supports the following TLS 1.2 cipher suites: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 The application works fine when being run from Windows Server 2016 or later (including Win10) but is not able to access the external site when being run on Windows Server 2012 R2 or earlier versions. I understand Server 2008 is end of life but Server 2012 R2 should still be supported, I would think. From what I understand, it appears these specific cipher suites are not available for Server 2012 R2. Will they ever be available, or is there some other way to have my application work with the existing available cipher suites? Thank You

6 Answers

  • Sort by Created Created
  • Sort by Oldest Oldest
  • Sort by Votes Votes

–please don’t forget to Accept as answer if the reply is helpful–

Thank you very much for the reply. Looking at the list of “what’s available” that you supplied, i do not see the only two that the external site supports:

listed on that site.

If they are not available to the OS how can they be added? Is there some other way to manually add them if they have not been added via a previous Windows Update?

I’d check that windows is patched fully then they should be available, (from a 2012 R2 server here)

How to update your windows server cipher suite for better security

–please don’t forget to Accept as answer if the reply is helpful–

Once again, thanks for the reply. I’m terribly sorry if I’m missing something for this is definitely something that I’m not very familiar with. That article is very helpful in explaining the way they work, but it seems to address changing the order the ciphers are referenced or disabling specific ciphers, not adding a cipher that the OS does not already contain and support. I’m not sure how that would be done if it is not supported at the OS level. My previous understanding is the only way those are normally added is from a Windows Update.

From information in that post, I searched and found this TechNet post:

Which seems to suggest it may not be possible.

If you can direct me to steps on how to ADD new cipher suites, I would very much appreciate it.

Did you see my screenshot? That is from a patched 2012 R2 server here.

Again thanks. The server is fully patched. Looking at the screen shot that you sent above I do not see the two ciphers in question displayed there. The two in need are each “GCM” types:

Viewing this on the server in question, they are not listed.

For this 2012 R2 there are there I just had to scroll down a bit to find them.

How to update your windows server cipher suite for better security

–please don’t forget to Accept as answer if the reply is helpful–

Those you listed are available in Server 2012 R2:

However, the ones I need are:

Those don’t appear to be the same. However, I may be missing something, for sure.

Ok, gotcha. Those are not available for Server 2012 R2. They did not show up until Windows 10/Server 2016
https://docs.microsoft.com/en-us/windows/win32/secauthn/tls-cipher-suites-in-windows-10-v1607

–please don’t forget to Accept as answer if the reply is helpful–

Thanks. But, since Windows Server 2012 R2 is still supported by Microsoft, is this something that will be adding in a future Windows Update? This seems important since companies are being told to disable older versions of TLS.

If they will be updated is there any timeframe on this?

As workaround, you can add a “SSL Forwarding proxy” (such as WSA from Cisco, suggest you to use search terms “ssl forward proxy” TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384″ to search for) in between. When the decrypting proxy re-encrypt the connection, as side effect it will now support whatever cipher the proxy supports but the client not supporting.

Rusty — Did you ever get this resolved? I am in the exact same boat. No way I can move a primary business app to 2016 at a moments notice.

Let me know and thanks.

–please don’t forget to Accept as answer if the reply is helpful–

I have a question, too.

We recently ran into issues at 2 customer sites where calls from our .NET Core service using HttpClient fails with Handshake error (40) when posting to an https Apache server. We confirmed no “available” cipher suites in the CLient Hello were accepted by the server. The odd thing is that Postman can run from that same server and it DOES have an acceptable cipher. The one in question that we saw accepted by Postman Client Hello is TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 and this one ISN’T offered in “our” call (.NET COre 2.8 HttpClient).

We have seen this on both Server 2012 R2 and Server 2016 Standard. I can maybe understand 2012 R2 failing, because it doesn’t look like this cipher is available in that OS, but then why does Postman work?

Is there any way to enable this cipher in 2012 R2?

What about 2016? Is it possible that cipher is allowed but just disabled?

This is all a little fuzzy for me still. Also, what tools are you using to see this information above (SSL Cipher Suite Order)?

Here, I have explained about the Cipher Suites, recommended cipher suites and the how to apply only recommended cipher suites which has set of strong algorithm and no known security vulnerabilities in Windows Server.

What is Cipher Suite?

Cipher suite is a set of cryptographic encryption algorithms which provide the secure, encrypted connection over Transport Layer Secure (TLS)/ Secure Socket Layer (SSL).

Cipher suite which contains set of algorithms each for below task,

  1. Key Exchange
  2. Bulk Encryption
  3. Message authentication

How to update your windows server cipher suite for better security

There are more set of encryption algorithm available, but only recommended few strong algorithms, Others have security vulnerability or using weak encryption algorithm.

There are more cipher suite options available in Windows server, so all the HTTPS requests will be served with different cipher suite which supported by Windows Server in the priority order. So there will be a chance to serve strong cipher suite as well as weak cipher suite.

These cipher suites each uses different set of algorithms which may be either strong or weak. Weak cipher suites are very vulnerable and less secure, and it’s not recommended to use these weak cipher suites. Some older cipher suites are used weak set of algorithms.

Example:

EDCH –STRONG
DHE – STRONG
RSA – NORMAL
DES – WEAK
ADH – WEAK
NULL – WEAK
RC4 – WEAK
3DES – WEAK

You can check the Cipher Suites which used by you server using the SSL Test, and provide the domain name you have hosted with your Server.

Recommended Cipher Suites which uses strong set of algorithms

Recommended Key Exchange:

  1. ECDHE
  2. DHE

Recommended Signature:

  1. ECDSA
  2. RSA

Recommended Bulk Encryption:

  1. AES 128 GCM
  2. AES 256 GCM

Recommended Message Authentication:

  1. SHA 256
  2. SHA 384

Hence, you should update the recommended/strong cipher suites in your Server. I have explained the steps to update the Cipher suites in Windows Server.

How to update Cipher Suites in Window Server?

Step 1: Open Group Policy Editor window by, Run -> enter the command “gpedit.msc”

How to update your windows server cipher suite for better security

Step 2: Navigate to SSL Cipher Suite Order by following the below path,

Computer Configuration – > Administrative Templates – > Network -> SSL Configuration Settings – > SSL Cipher Suite Order

How to update your windows server cipher suite for better security

Step 3: By default, SSL Cipher Suite Order is set as “Not Configured “. Double click on it to edit the state. You will get the dialog like below.

How to update your windows server cipher suite for better security

Step 4: Change the state as “Enabled”, so you will be allowed to edit the SSL Cipher Suites options text box.

How to update your windows server cipher suite for better security

Step 5: You simply select all cipher suites texts which in the that text box, then copy and paste to any text editor, so you all see all the available cipher option which used by your Windows Server.

Note: Each Cipher Suites are separated by comma.

Example: CipherSuite1,CipherSuite2,CipherSuite3, …… CipherSuiteN

Step 6: Now you should update the existing Cipher Suites with recommended Cipher suites. Form the recommended Cipher suites in below comma separated format.

Note: Take a back of exiting Cipher suites option before editing it, to avoid any unpleasant situation.

Step 7: Update the recommended Cipher suites in text box then Apply and Ok.

Step 8: Need to restart the Server to reflect this setting.

You can check the updated Cipher Suites which used by you server using the SSL Test

Note: Make sure restarting the server will cause server downtime, you should make planned downtime at right non business hours.

How to update your windows server cipher suite for better security

Geoffrey_Carr

How to update your windows server cipher suite for better security

Megbízható webhelyet futtat, amelyet a felhasználók megbízhatnak. Jobb? Talán ellenőrizni szeretné. Ha webhelye a Microsoft Internet Information Services (IIS) szolgáltatáson fut, akkor meglepő lehet. Amikor a felhasználók biztonságos kapcsolaton (SSL / TLS) keresztül próbálnak kapcsolódni a kiszolgálóhoz, előfordulhat, hogy nem biztos, hogy biztos lehet benne.

A jobb titkosítási csomag használata ingyenes és nagyon könnyű beállítani. Csak kövesse ezt a lépésenkénti útmutatót a felhasználók és a kiszolgáló védelme érdekében. Azt is megtudhatja, hogyan tesztelheti az általam használt szolgáltatásokat, hogy mennyire biztonságosak a valóságban.

Miért fontos a cipher lakosztály?

A Microsoft IIS-je nagyon jó. Mindkettő könnyű beállítani és karbantartani. A felhasználóbarát grafikus felület megkönnyíti a konfigurációt. Windows alatt fut. Az IIS valóban sok mindent megtesz, de valójában a biztonsági alapértelmezésekre esik.

How to update your windows server cipher suite for better security

Így működik a biztonságos kapcsolat. A böngésző biztonságos kapcsolatot kezdeményez egy webhelyen. Ezt leginkább egy “HTTPS: //” kezdődő URL-címmel lehet azonosítani. A Firefox egy kis zároló ikont kínál a pont tovább illusztrálására. A Chrome, az Internet Explorer és a Safari hasonló módszerekkel rendelkezik arra, hogy tudassa velünk, hogy a kapcsolat titkosítva van. A kiszolgáló, amelyhez csatlakozik, válaszol a böngészőre, és a titkosítási lehetőségek listája a leginkább előnyben részesített sorrend közül választhat. A böngészője lefelé halad a listán, amíg megtalálja a titkosítási opciót, és nem működik. A többiek, mint mondják, a matek. (Ezt senki sem mondja.)

A halálos hiba ebben az, hogy nem minden titkosítási opciót hoznak létre egyenlően. Néhány nagyon nagy titkosítási algoritmust (ECDH) használ, mások kevésbé jó (RSA), és néhányan csak rosszul tanácsták (DES). A böngészõ a kiszolgálón keresztül bármely szerverhez csatlakozhat. Ha a webhely felajánlja néhány ECDH opciót, de néhány DES opciót is, a kiszolgáló csatlakozik bármelyikhez. A rossz titkosítási lehetőségeket kínáló egyszerű cselekedet miatt a webhely, a kiszolgáló és a felhasználók potenciálisan sebezhetőek lehetnek. Sajnos alapértelmezés szerint az IIS eléggé rossz lehetőségeket kínál. Nem katasztrofális, de biztosan nem jó.

Hogyan lehet megnézni, hol állsz?

Mielőtt elkezdenénk, érdemes tudni, hogy hol áll a webhely. Szerencsére a jó emberek a Qualysnál az SSL Labs-t mindannyiunk számára ingyen biztosítják. Ha meglátogatja a https://www.ssllabs.com/ssltest/ címet, akkor láthatja pontosan, hogy a szerver hogyan reagál a HTTPS kérésekre. Láthatja, hogy a rendszeresen felhasznált szolgáltatások mennyire össze vannak kötve.

Egy figyelmeztetés itt. Csak azért, mert egy webhely nem kap A minősítést, nem jelenti azt, hogy a futó emberek rossz munkát végeznek. Az SSL Labs az RC4 gyenge titkosítási algoritmust sújtja, annak ellenére, hogy nincsenek ismert támadások. Igaz, kevésbé ellenáll a brute force kísérletek, mint valami RSA vagy ECDH, de ez nem feltétlenül rossz. Egy webhely RC4 kapcsolódási lehetőséget kínálhat az egyes böngészőkkel való összeegyeztethetőség érdekében, ezért útmutatásként használja a webhelyekre vonatkozó rangsorokat, nem pedig vasalatokkal ellátott biztonsági nyilatkozatot vagy annak hiányát.

A Cipher Suite frissítése

Átfedtük a hátteret, most piszkosak a kezünk. A Windows szerver által nyújtott opciókészlet frissítése nem feltétlenül egyértelmű, de ez sem feltétlenül nehéz.

How to update your windows server cipher suite for better security

A kezdéshez nyomja meg a Windows billentyűt + R a “Futtatás” párbeszédablak megjelenítéséhez. Írja be a “gpedit.msc” parancsot, és kattintson az “OK” gombra a Csoportházirend-szerkesztő elindításához. Itt változtathatunk meg.

How to update your windows server cipher suite for better security

Bal oldali területen bontsa ki a Számítógép konfiguráció, a Felügyeleti sablonok, a Hálózat elemet, majd kattintson az SSL konfigurációs beállítások elemre.

A jobb oldalon kattintson duplán az SSL Cipher Suite Orderre.

How to update your windows server cipher suite for better security

Alapértelmezés szerint a “Nem konfigurált” gomb van kiválasztva. Kattintson a “Engedélyezve” gombra a kiszolgáló Cipher Suites szerkesztéséhez.

How to update your windows server cipher suite for better security

Az SSL Cipher Suites mező kitöltése szöveggel történik, miután rákattintasz a gombra. Ha szeretné megtudni, hogy a Cipher Suites melyik szervere kínál jelenleg, másolja a szöveget az SSL Cipher Suites mezőjéből, és illessze be a Notepadba. A szöveg egy hosszú, töredezett szövegben lesz. A titkosítási lehetőségek mindegyikét vessző választja el. Az egyes opciók saját vonalán történő elhelyezése megkönnyíti a listát.

A listán keresztül megy keresztül, és hozzáadhatja vagy eltávolíthatja a szív tartalmát egy korlátozással; a lista legfeljebb 1023 karakter lehet. Ez különösen bosszantó, mivel a titkos lakosztályok olyan hosszú nevekkel rendelkeznek, mint a “TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384”, ezért óvatosan válasszon. Javaslom használni a listát, amelyet Steve Gibson készít a GRC.com-on: https://www.grc.com/miscfiles/SChannel_Cipher_Suites.txt.

Miután szerkesztette listáját, meg kell formáznia a felhasználást. Az eredeti listához hasonlóan az újnak egy karaktert kell tartalmaznia, amelynek minden egyes kódja vesszővel van elválasztva. Másolja a formázott szöveget és illessze be az SSL Cipher Suites mezőbe, majd kattintson az OK gombra. Végül a változtatáshoz újra be kell indítania.

A kiszolgáló biztonsági mentése és futása után vezesse az SSL Labs-ot, és tesztelje ki. Ha minden jól megy, akkor az eredménynek egy A minősítést kell adnia.

How to update your windows server cipher suite for better security

Ha valami vizuálisan szeretne valamit, akkor a Nartac segítségével telepítheti az IIS Crypto-t (https://www.nartac.com/Products/IISCrypto/Default.aspx). Ez az alkalmazás lehetővé teszi ugyanazokat a módosításokat, mint a fenti lépések. Ezenkívül lehetővé teszi a titkosítások engedélyezését vagy letiltását számos kritérium alapján, így nem kell manuálisan átmennie.

Nem számít, hogyan csinálja, a Cipher Suites frissítése egyszerű módja annak, hogy javítsa biztonságát az Ön és a végfelhasználók számára.

A Recap of Identity-related Announcements from Microsoft Inspire 2021

Another Microsoft Inspire event has come to a close. Microsoft organized Inspire 2021 as a free digital event between Wednesday July 14th 5 PM and Friday July 16th 5 PM CEST. Microsoft Inspire is Microsoft’s annual event where it kicks off its fiscal year with its partner community. Inspire is Microsoft’s way to explain what’s … Continue reading “A Recap of Identity-related Announcements from Microsoft Inspire 2021”

VMSA-2021-0014 updates for VMware ESXi and vCenter address two security vulnerabilities (CVE-2021-21994, CVE-2021-21995)

Today, VMware released an update that addresses an SFCB improper authentication vulnerability (CVE-2021-21994) and an OpenSLP denial-of-service vulnerability (CVE-2021-21995). These two vulnerabilities can be used to compromise virtual Domain Controllers running on ESXi. Note: The vulnerabilities exist in VMware Cloud Foundation, too. The two vulnerabilities were responsibly disclosed to VMware. About the vulnerabilities SFCB … Continue reading “VMSA-2021-0014 updates for VMware ESXi and vCenter address two security vulnerabilities (CVE-2021-21994, CVE-2021-21995)”

The July 2021 Patch Tuesday addresses twelve vulnerabilities for Domain Controllers running as DNS Servers

When looking at the July 2021 Patch Tuesday today, I noticed three updates that specifically address vulnerabilities in the DNS snap-in and nine vulnerabilities in DNS Server. These vulnerabilities are specific to Domain Controllers running DNS Server (in the default configuration), so this sparked my interest in these updates. Three DNS Snap-in vulnerabilities There are … Continue reading “The July 2021 Patch Tuesday addresses twelve vulnerabilities for Domain Controllers running as DNS Servers”

What’s New in Azure Active Directory for June 2021

Azure Active Directory is Microsoft’s Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following planned, new and changed functionality for Azure Active Directory for June 2021: What’s Planned Context panes to display risk details … Continue reading “What’s New in Azure Active Directory for June 2021”

Identity-related sessions at Microsoft Inspire 2021

Microsoft Inspire is Microsoft’s annual event where it kicks off its fiscal year with its partner community. Inspire is Microsoft’s way to explain what’s coming in the year ahead and work together to find shared solutions for customers. As all of Microsoft’s events will have a focus on online events until July 2021, Microsoft Inspire … Continue reading “Identity-related sessions at Microsoft Inspire 2021”

On-premises Identity-related updates and fixes for June 2021

Even though Microsoft’s Identity focus moves towards the cloud, they are not forgetting their on-premises roots. Windows Server 2016 and Windows Server 2019 still receive updates. These are the Identity-related updates and fixes we saw for June 2021: Windows Server 2016 We observed the following updates for Windows Server 2016: KB5003638 June 8, 2021 The … Continue reading “On-premises Identity-related updates and fixes for June 2021”

I’m a 2021-2022 Microsoft MVP

Today, I received a localized e-mail from the Microsoft Most Valuable Professional (MVP) Award team: In Dutch, it reads: Beste Sander Berkouwer, Nogmaals presenteren we u met genoegen de 2021-2022 Microsoft Most Valuable Professional (MVP) Award als erkenning van uw buitengewone leiderschap in technische community’s. We waarderen uw uitmuntende bijdragen in de volgende technische community’s … Continue reading “I’m a 2021-2022 Microsoft MVP”

One year at NeoNomads! Eight years as an MVP!

2020 has been a weird year for me. We sold our house and bought an apartment, moved to a different city in The Netherlands and soon after that, decided to quit my job at the same company for over 18 years. A difficult decision but a necessary one. I planned to take three months off … Continue reading “One year at NeoNomads! Eight years as an MVP!”

TODO: Disable the Print Spooler service on Domain Controllers

Today, the news reached me that CVE-2021-1675 is weaponized to compromise Domain Controllers. This is actually already happening in the real world, leading to a ‘zero day’ vulnerability event. Luckily, the vulnerability can be easily thwarted with a simple configuration change on Domain Controllers; disabling the Print Spooler service. Not a big change, but there … Continue reading “TODO: Disable the Print Spooler service on Domain Controllers”

The videos of my two Netwrix US webinars are now available

On May 18th and May 20th, I presented two distinct webinars on Active Directory and Azure AD Better Together. I presented these webinars together with Netwrix’ David Metzgar. The Microsoft cloud offers a wealth of benefits, from powerful enterprise applications and built-in high availability to predictable costs. But most organizations still need their on-premises IT … Continue reading “The videos of my two Netwrix US webinars are now available”

INTRODUCTION

Microsoft has released a Microsoft security advisory about this issue for IT professionals. The security advisory contains additional security-related information. To view the security advisory, go to the following Microsoft website:

Resolution

The following files are available for download from the Microsoft Download Center:

For all supported x86-based versions of Windows 7

Download the package now.

For all supported x64-based versions of Windows 7

Download the package now.

For all supported x86-based versions of Windows Embedded Standard 7

Download the package now.

For all supported x64-based versions of Windows Embedded Standard 7

Download the package now.

For all supported x64-based versions of Windows Server 2008 R2

Download the package now.

For all supported IA-64-based versions of Windows Server 2008 R2

Download the package now.

For all supported x86-based versions of Windows 8

Download the package now.

For all supported x64-based versions of Windows 8

Download the package now.

For all supported x64-based versions of Windows Server 2012

Download the package now.

Release Date: November 10, 2013

For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to obtain Microsoft support files from online servicesMicrosoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

More Information

How to completely disable RC4

You must install this security update (2868725) before you make the following registry change to completely disable RC4.

This security update applies to the versions of Windows listed in in this article. However, this registry setting can also be used to disable RC4 in newer versions of Windows.

Clients and servers that do not want to use RC4 regardless of the other party’s supported ciphers can disable RC4 cipher suites completely by setting the following registry keys. In this manner, any server or client that is talking to a client or server that must use RC4 can prevent a connection from occurring. Clients that deploy this setting will be unable to connect to sites that require RC4, and servers that deploy this setting will be unable to service clients that must use RC4.

For more information, click the following article number to view the article in the Microsoft Knowledge Base:

245030 How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll

How other applications can prevent the use of RC4-based cipher suites

RC4 is not turned off by default for all applications. Applications that call in to SChannel directly will continue to use RC4 unless they opt in to the security options. Applications that use SChannel can block RC4 cipher suites for their connections by passing the SCH_USE_STRONG_CRYPTO flag to SChannel in the SCHANNEL_CRED structure. If compatibility must be maintained, applications that use SChannel can also implement a fallback that does not pass this flag.

FILE INFORMATION

The English (United States) version of this software update installs files that have the attributes that are listed in the following tables. The dates and times for these files are listed in Coordinated Universal Time (UTC). The dates and times for these files on your local computer are displayed in your local time and with your current daylight saving time (DST) bias. Additionally, the dates and times may change when you perform certain operations on the files.

The files that apply to a specific product, milestone (RTM, SP n), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table:

Summary

Microsoft has released a Microsoft security advisory about this issue for IT professionals. The security advisory contains additional security-related information. To learn more about the vulnerability, see
https://technet.microsoft.com/security/advisory/3155527.

More Information

All future security and nonsecurity updates for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 require update 2919355 to be installed. We recommend that you install update 2919355 on your Windows RT 8.1-based, Windows 8.1-based, or Windows Server 2012 R2-based computer so that you receive future updates.

If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see Add language packs to Windows.

Additional information about this security update

The following articles contain additional information about this security update as it relates to individual product versions. The articles may contain known issue information.

3151058 Description of the security update for Schannel: April 12, 2016

3156387Cumulative update for Windows 10: April 12, 2016

3156421Cumulative update for Windows 10 Version 1511 and Windows Server 2016 Technical Preview 4: April 12, 2016

How to obtain and install the update

Method 1: Windows Update

This update is available through Windows Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to turn on automatic updating, see
Get security updates automatically.

Note For Windows RT 8.1, this update is available through Windows Update only.

The following files are available for download from the Microsoft Download Center.

For all supported x64-based versions of Windows Server 2012 Download the package now.

For all supported x86-based versions of Windows 8.1 Download the package now.

For all supported x64-based versions of Windows 8.1 Download the package now.

For all supported x64-based versions of Windows Server 2012 R2 Download the package now.

Release Date: May 10, 2016

For more information about how to download Microsoft support files, click the following article number to go to the article in the Microsoft Knowledge Base:

119591 How to obtain Microsoft support files from online services

Microsoft scanned this file for viruses by using the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to it.

Windows 8.1 (all editions)Reference Table

The following table contains the security update information for this software.

Security update file name

For all supported 32-bit editions of Windows 8.1:
Windows8.1-KB3151058-x86.msu

For all supported x64-based editions of Windows 8.1:
Windows8.1-KB3151058-x64.msu

A system restart is required after you apply this security update.

To uninstall an update installed by WUSA, use the /Uninstall setup switch or click Control Panel, click System and Security, click Windows Update, and then under See also, click Installed updates and select from the list of updates.

Registry key verification

Note A registry key does not exist to validate the presence of this update.

Windows Server 2012 and Windows Server 2012 R2 (all editions)Reference Table

The following table contains the security update information for this software.

Security update file name

For all supported editions of Windows Server 2012:
Windows8-RT-KB3151058-x64.msu

For all supported editions of Windows Server 2012 R2:
Windows8.1-KB3151058-x64.msu

A system restart is required after you apply this security update.

To uninstall an update installed by WUSA, use the /Uninstall setup switch or click Control Panel, click System and Security, click Windows Update, and then under See also, click Installed updates and select from the list of updates.

Registry key verification

Note A registry key does not exist to validate the presence of this update.

Windows RT 8.1 (all editions)Reference Table

The following table contains the security update information for this software.

These updates are available via Windows Update only.

A system restart is required after you apply this security update.

Click Control Panel, click System and Security, click Windows Update, and then under See also, click Installed updates and select from the list of updates.

Windows 10 (all editions)Reference Table

The following table contains the security update information for this software.

Security update file name

For all supported 32-bit editions of Windows 10:
Windows10.0-KB3156387-x86.msu

For all supported x64-based editions of Windows 10:
Windows10.0-KB3156387-x64.msu

For all supported 32-bit editions of Windows 10 Version 1511:
Windows10.0-KB3156421-x86.msu

For all supported x64-based editions of Windows 10 Version 1511:
Windows10.0-KB3156421-x64.msu

A system restart is required after you apply this security update.

To uninstall an update installed by WUSA, use the /Uninstall setup switch or click Control Panel, click System and Security, click Windows Update, and then under See also, click Installed updates and select from the list of updates.

Registry key verification

Note A registry key does not exist to validate the presence of this update.

Help for protecting your Windows-based computer from viruses and malware: Virus Solution and Security Center

Local support according to your country: International Support

Hello! I’m running into some issues with kerberos on a windows 2008 server using RC4 encryption, getting various errors such as, ” An TLS 1.0 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed. “

I need to change the encryption to AES. How can i go about doing this? Thank you!

  • Are you smarter than most IT pros?
  • Unable to lock students out of their computers at midnight
  • ::1 in logs of IIS
  • How to find all assignment of Active Directory group on files/folde.

The help desk software for IT. Free.

Track users’ IT needs, easily, and with only the features you need.

5 Replies

Use the IISCrypto tool to look at and modify the configuration of the server.

Best practices today — 2019 — is to only allow TLS 1.2 or better. If you’re on 2008 rather than 2008R2, you do not have support for TLS 1.2.

The details you see in the IIS Crypto tool are part of the Windows Operating system. They are built in. The only way to get what is missing is upgrade your version of Windows Server to something newer. 2008R2 is almost EOL (will be in Jan) 2008 already is.