Closed globeone closed 2 years ago
I originally left the CBC ciphers for backward compatibility. I seem to recall having an issue with a customer once where RDP wouldn't work. However, that was quite some time ago (and might have been Windows Server 2012 R2) so it's probably time to remove them from this script.
I will do some additional testing and remove them soon. :)
Removing CBC ciphers breaks Windows Update on Windows Server 2012 R2 servers. With that, I'm going to close this issue and leave the script as-is. However, if someone wants to investigate this further and suggest a fix for Windows Update with CBC ciphers disabled, I will gladly reopen this request and make the necessary changes.
My suggestion for administrators performing security hardening on Windows Server 2012 R2 is to migrate to a later version of Windows Server. If you must use Windows Server 2012 R2, consider installing an ECSA TLS certificate instead of an RSA certificate.
Thanks!
Cipher Block Chaining (CBC) was hacked back in 2013 and is now considered weak encryption.
For Windows this only leaves a few cipher suits using GCM. On Windows Server 2012, where none of the ECDSA ciphers are usable with standard Microsoft applications, so have to enable two RSA ciphers without perfect forward secrecy to still be able to remotely access the server with RDP.
For Windows 2016 and higher, there are only 4 secure ciphers left.
Windows Server 2022 should start to support TLS1.3, but it's not enabled by default.
from https://ciphersuite.info