Cipher Suites Renamed in Windows Server 2016

After testing IIS Crypto 2.0 we ran into an issue with soon to be released Windows Server 2016. All of the Qualys SSL scans were not recognizing the order of the cipher suites configured by IIS Crypto. It turns out that Microsoft quietly renamed most of their cipher suites dropping the curve (_P521, _P384, _P256) from them. This reduced most suites from three down to one. However, this threw us a bit of a curve ball as now IIS Crypto's configuration and all of the templates needed to support OS version checking. We added this in one of the beta versions, retested and sure enough the scans were now showing the correct cipher suite order.

Comments (16) -

By Metehan Bolat | April 25, 2018 - 01:10

Hey, I guess at later or updated versions of Windows Server 2016, GUI throws exceptions that can only be seen by Event Viewer,
Something about KERNELBASE.DLL and System.InvalidCastException
It can be about checking the OS version. We have been using this tool in Windows Server 2012 and saved us a big time.
Any other people having the same issue? I can share more details upon request.

By R S | May 17, 2018 - 04:05

Yes, getting the same error with recently provisioned Windows Server 2016 VMs in Azure.

By Debjit Das | May 24, 2018 - 03:44

IIS Crypto 2.0 crashing with recently provisioned Windows Server 2016 VMs in Azure and throwing some exception about “KERNELBASE.DLL and System.InvalidCastException” .

We can see same issue already posted on your BLOG recently regarding Azure hosted VM’s.

Much appreciate if you can provide an update when this BUG will be fix for Azure VM’s!

By James Cumper | June 15, 2018 - 08:31

Hi, any update on IIS Crypto crashing with azure 2016 VM's and throwing some exception about “KERNELBASE.DLL and System.InvalidCastException?

By YK | June 19, 2018 - 04:09

Is it possible to fix IISCrypto crash on AZURE Win Server 2016?

By YK | June 19, 2018 - 04:10

Is any work around?

By om | June 21, 2018 - 09:16

Same here - IISCrypto crash on AZURE Win Server 2016 (works great on win server 2012)

By same issue | June 22, 2018 - 06:59

IIS Crypto is failing

By Jeff | June 22, 2018 - 07:45

Hi All,

The actual issue is with the Azure template. It is setting both the RC4 and SSL 3.0 registry keys as a string when the should be a DWORD.

The next version of IIS Crypto checks for this and sets the correct types. In the meantime, if you want, look for the keys named "Enabled" and "DisabledByDefault" under the root (and their children):

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

- Jeff

By James Cumper | June 25, 2018 - 10:24

Do you know when the next version will be available? we are currently using the latest available version

By Metehan Bolat | July 12, 2018 - 12:05

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128

These have REG_SZ typed, Enabled named registries with value of 0.

Simple remove these registries and add with Type of Dword, Name of Enabled and Value of 0.

Also add keys below, HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\
DES 56/56
NULL
RC2 128/128
RC2 40/128
RC2 56/128
RC4 64/128

In each keys, make a record type of Dword, name of Enabled, value of 0

On the very same root also add keys below
AES 128/128
AES 256/256
Triple DES 168

In each keys, make a record type of Dword, name of Enabled, value of ffffffff

------
I made a comparison between two Azure gallery VMs of Server 2016, one of them could run IIS Crypto 2.0, where the other one can't. This is the difference between two.

It is not just some type issues, it is also about having some keys missing by default.

-----
Another trick is.. Run old version of IIS Crypto (1.6? sth..) it opens without any registry checks. Do a dummy change to activate save. Then save the configuration and restart the VM. it will add the missing registry keys, next you can run IIS Crypto 2.0.
Thank you for the hint Jeff.

By Dave | July 23, 2018 - 08:09

I have tested the above registry changes and it started working after making this change in addition:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client

REG_DWORD name DisabledByDefault value 1
REG_DWORD name Enabled value 0

By Azhar Ali Buttar | July 23, 2018 - 01:24

I recommend not to use the old IISCrypto because it will change the name of ciphers according to old versions. Microsoft has changed the cipher suit names quietly. Although the SSLLabs website will give you A+ but actually your server will be the victim of security vulnerability. The best way I recommend to use, go to the other server already fixed for the ciphers and export the registry keys related to SSL/TLS (Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProvider\SCHANNEL) and import to your new server. Hope this will help.

By Tariq | July 29, 2018 - 12:56

Hi Team,

I have downloaded the IIS Crypto GUI Version 2.0 to disable the TLSV1.0 and RC4 cipher using this software.But when i tried to open the software it gives me error privacy statement. Find below the error. I am using window 2012 R2 server kindly let us know how to resolve this issue.

Error:

For your convenience, here is the text of the Windows Error Reporting section of the Windows privacy statement. To see the latest version, please visit the online version of this privacy statement at http://go.microsoft.com/fwlink/?LinkId=280262.


What this feature does

Windows Error Reporting helps Microsoft and Microsoft partners diagnose problems in the software you use and provide solutions. Not all problems have solutions, but when solutions are available, they are offered as steps to solve a problem you’ve reported or as updates to install. To help prevent problems and make software more reliable, some solutions are also included in service packs and future versions of the software.


Information collected, processed, or transmitted

Many software products are designed to work with Windows Error Reporting. If a problem occurs in one of these products, you might be asked if you want to report it.

Windows Error Reporting collects information that is useful for diagnosing and solving a problem that has occurred, such as where the problem happened in the software or hardware, the type or severity of the problem, files that help describe the problem, basic software and hardware information, or possible software performance and compatibility problems. If you use Windows to host virtual machines, error reports sent to Microsoft might include information about virtual machines.

Windows Error Reporting also collects information about apps, drivers, and devices to help Microsoft understand and improve app and device compatibility. Information about an app might include the name of the app’s executable files. Information about devices and drivers might include the names of devices you’ve installed on your PC and the executable files associated with those devices’ drivers. Information about the company that published an app or driver might be collected.

If you choose to enable automatic reporting while setting up Windows, the reporting service will automatically send basic information about where problems occur. In some cases, the reporting service will automatically send additional information to help diagnose the problem, such as a partial snapshot of PC memory. Some error reports might unintentionally contain personal information. For example, a report that contains a snapshot of PC memory might include your name, part of a document you were working on, or data that you recently submitted to a website.
To help diagnose certain types of problems, Windows Error Reporting might create a report containing extra information, such as log files. Before sending a report containing this additional information, Windows will ask if you want to send the report, even if you’ve enabled automatic reporting.

After you send a report, the reporting service might ask you for more information about the problem that occurred. If you choose to provide your phone number or email address in this information, your error report will be personally identifiable. Microsoft might contact you to request additional information to help solve the problem you reported.

Windows Error Reporting randomly generates a number called a globally unique identifier (GUID) that is sent to Microsoft with every error report. The GUID lets us determine which data is sent from a particular computer over time. The GUID doesn’t contain any personal information.

To help protect your privacy, the information is sent encrypted via SSL.


Use of information

Microsoft uses information about errors and problems reported by Windows users to improve Microsoft products and services, as well as third-party software and hardware designed for use with these products and services. We use the GUID to determine how widespread the feedback we receive is and how to prioritize it. For example, the GUID allows Microsoft to distinguish between one customer experiencing a problem one hundred times and one hundred customers experiencing the same problem once.

Microsoft employees, contractors, vendors, and partners might be provided access to relevant portions of the information collected, but they’re only permitted to use the information to repair or improve Microsoft products and services, or third-party software and hardware designed for use with Microsoft products and services. If an error report contains personal information, Microsoft doesn’t use the information to identify, contact, or target advertising to you. However, if you choose to provide contact information as described above, we may use this information to contact you.


Choice and control

If you choose express settings while setting up Windows, Windows Error Reporting will automatically send basic reports to check for solutions to problems online. If you choose to customize settings, you can control Windows Error Reporting by selecting Use Windows Error Reporting to check for solutions to problems under Check online for solutions to problems. After setting up Windows, you can change this setting in Action Center in Control Panel.
For more information, see the Microsoft Error Reporting Service privacy statement at:
http://go.microsoft.com/fwlink/?LinkId=50163


Best Regards

By Ron Hinds | October 19, 2018 - 10:39

I also had the REG_SZ Enabled value in this key, which I had to change to REG_DWORD before IISCrypto would work.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server

By Nick Gilbert | December 4, 2018 - 05:08

What services need restarting after applying the above registry changes?  I've tried the changes mentioned above but I still get the same error.

Regards,
Nick

Add comment