Q: What can we do to limit or exclude the use of the RC4 stream cipher on our Windows platforms? What are the Microsoft recommendations for disabling RC4?
A: Microsoft recommends that customers use Transport Layer Security 1.2 (TLS) 1.2 and the more secure Advanced Encryption Standard - Galois/Counter Mode (AES-GCM) cipher as the RC4 alternative. You can find out more information about this recommendation in the TechNet blog "Security Advisory 2868725: Recommendation to disable RC4."
Internet Explorer 11 (IE 11), which is bundled with Windows 8.1, enables TLS 1.2 by default and no longer uses RC4 during the SSL/TLS handshake. More details about this can be found in the MSDN blog "IE11 Automatically Makes Over 40% of the Web More Secure While Making Sure Sites Continue to Work."
Microsoft also released a patch that provides support for the IE 11 and Windows 8.1 RC4 changes on Windows 8, Windows 7, Windows RT, Windows Server 2012, and Windows Server 2008 R2. You can find more information about the patch in the Microsoft Support article "Microsoft security advisory: Update for disabling RC4."
The RC4 cipher can be completely disabled on Windows platforms by setting the "Enabled" (REG_DWORD) entry to value 00000000 in the following registry locations:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128
Windows clients that have these registry entries set won't be able to connect to sites that require RC4. Windows servers that have these registry entries set won't be able to service clients that must use RC4.