BWTST has created a GPO, “DI-BWTST Disable RC4 Cipher“, that will mitigate the vulnerabilities associated with SSL RC4 Cipher Suite that has recently raised as a top concern.
Recent searches discovered a two-fold approach of a Microsoft HotFix and Registry changes. We have found that the Registry change will mitigate the vulnerability. The GPO will make these following changes:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
“Enabled”=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
“Enabled”=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
“Enabled”=dword:00000000
These changes can also be done manually and may require a server reboot to complete.
USGS Security Assurance Team states:
RC4 Cipher: Nessus ID#65821 https://support.microsoft.com/en-us/kb/2868725
“USGS has 12,513 hosts with this Medium severity vulnerability. Roughly 9,835 of them are found on RDP port 3389. ITSOT is recommending that either a GPO, MECM, or IEM solution be developed to correct and maintain this issue nationally.”
