How do I disable 3DES?

How do I disable 3DES on w7-pro?

On Mon, 30 Jan 2017 22:29:57 -0800, T wrote:
How do I disable 3DES on w7-pro?

It'd depend on the application that use that encryption algorithm.

If you meant the algorithm itself, then no. You can't. It's non
configurable. Unless you're familiar with software hacking.

On Mon, 30 Jan 2017 22:29:57 -0800
T wrote:

How do I disable 3DES on w7-pro?

223 at your local range

On 01/31/2017 02:55 AM, JJ wrote:
On Mon, 30 Jan 2017 22:29:57 -0800, T wrote:
How do I disable 3DES on w7-pro?

It'd depend on the application that use that encryption algorithm.

If you meant the algorithm itself, then no. You can't. It's non
configurable. Unless you're familiar with software hacking.


How do I get rid of it from remote desktop support (RDP)?

On 01/31/2017 05:00 AM, burfordTjustice wrote:
On Mon, 30 Jan 2017 22:29:57 -0800
T wrote:

How do I disable 3DES on w7-pro?

223 at your local range



223. Huh? Pin scratch.

This would be far more effective:
https://www.youtube.com/watch?v=C1ZCC-fTlbc

T wrote:
On 01/31/2017 02:55 AM, JJ wrote:
On Mon, 30 Jan 2017 22:29:57 -0800, T wrote:
How do I disable 3DES on w7-pro?

It'd depend on the application that use that encryption algorithm.

If you meant the algorithm itself, then no. You can't. It's non
configurable. Unless you're familiar with software hacking.


How do I get rid of it from remote desktop support (RDP)?

You probably saw this in your search results.

https://social.technet.microsoft.com...2?forum=winRDc

"ascertain whether your system meets the conditions for
a SWEET32 attack (more than 768GB sent in a single session)
and whether disabling 3DES is worth removing RDP capability.
Other utilities exist to manage servers beyond RDP especially
in a world where virtualization is highly commonplace."

Another thread mentions this.
I'd rather be fiddling with the registry setting directly
and checking the log, for this specific item. Maybe you
can set up a test machine and verify this does something
useful ? I don't see how this would fix anything, if the
OS settings are conflicted (FIPS setting overriding stuff).

https://www.nartac.com/Products/IISCrypto

https://www.nartac.com/Blog/post/201...-updated1.aspx

Paul

On 01/31/2017 11:28 PM, Paul wrote:
T wrote:
On 01/31/2017 02:55 AM, JJ wrote:
On Mon, 30 Jan 2017 22:29:57 -0800, T wrote:
How do I disable 3DES on w7-pro?

It'd depend on the application that use that encryption algorithm.

If you meant the algorithm itself, then no. You can't. It's non
configurable. Unless you're familiar with software hacking.


How do I get rid of it from remote desktop support (RDP)?

You probably saw this in your search results.

I did.

https://social.technet.microsoft.com...2?forum=winRDc


"ascertain whether your system meets the conditions for
a SWEET32 attack (more than 768GB sent in a single session)
and whether disabling 3DES is worth removing RDP capability.
Other utilities exist to manage servers beyond RDP especially
in a world where virtualization is highly commonplace."

I did find that. Wasn't too impressed. It was also on
a server, not a workstation.


Another thread mentions this.
I'd rather be fiddling with the registry setting directly
and checking the log, for this specific item. Maybe you
can set up a test machine and verify this does something
useful ? I don't see how this would fix anything, if the
OS settings are conflicted (FIPS setting overriding stuff).

https://www.nartac.com/Products/IISCrypto

https://www.nartac.com/Blog/post/201...-updated1.aspx

nartac doesn't run on W7. It is a server only product.

"Specifically", I am trying to kill this error report:

nmap -p aaaa -Pn --script +ssl-enum-ciphers www.xxx.yyy.zzz --script
ssl-cert

| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack


I did find some registry keys to try, but haven't had a chance
to get back to it

This is one of those idiot security issues M$ ddddddrags their
feet on fixing.

Ran the above on a Fedora Core 25 xRDP server and it passed
with flying colors.

Worst case, I have to set up tunnels. Customer won't be pleased
with the extra hassle.

Thank you for the help!
-T

On 01/30/2017 10:29 PM, T wrote:
How do I disable 3DES on w7-pro?


But, but, but, but, this fix also ruins your ability to run
Remote Desktop (RDP, MSTSC). So POOP! (Not my "exact" word.)

Okay, here is how to disable it and rid yourself of the
NMap tag for 3DES and SUGAR32


-- gedit.msc (group policy editor)
-- Computer Configuration
-- Administrative Templates
-- Network
-- SSL Configuration Settings

How to modify this setting:

1. Open a blank notepad document.

2. Copy and paste the list of available suites into it.

3. Arrange the suites in the correct order; remove any suites you don't
want to use.

4. Place a comma at the end of every suite name except the last. Make
sure there are NO embedded spaces.

5. Remove all the line breaks so that the cipher suite names are on a
single, long line.

6. Copy the cipher-suite line to the clipboard, then paste it into the
edit box. The maximum length is 1023 characters.

Why on earth would one want to run allow 'Remote Desktop' to run? It's
a significant security hole and just about the first thing I disable
in any new installation of Windows.

On Wed, 1 Feb 2017 18:32:16 -0800, T wrote:

But, but, but, but, this fix also ruins your ability to run
Remote Desktop (RDP, MSTSC).
--
================================================== ======
Please always reply to ng as the email in this post's
header does not exist. Or use a contact address at:
http://www.macfh.co.uk/JavaJive/JavaJive.html
http://www.macfh.co.uk/Macfarlane/Macfarlane.html

On Wed, 1 Feb 2017 18:32:16 -0800, T wrote:

But, but, but, but, this fix also ruins your ability to run
Remote Desktop (RDP, MSTSC).

On 02/02/2017 04:36 AM, Java Jive wrote:
Why on earth would one want to run allow 'Remote Desktop' to run? It's
a significant security hole and just about the first thing I disable
in any new installation of Windows.


It is off by default.

It works well.

On Sat, 4 Feb 2017 14:16:52 -0800, T wrote:

It is off by default.

It's been enabled by default in every W7 installation that I've
performed.

It works well.

That may be so, but it's a security hole nonetheless.
--
================================================== ======
Please always reply to ng as the email in this post's
header does not exist. Or use a contact address at:
http://www.macfh.co.uk/JavaJive/JavaJive.html
http://www.macfh.co.uk/Macfarlane/Macfarlane.html

On 02/04/2017 03:40 PM, Java Jive wrote:
On Sat, 4 Feb 2017 14:16:52 -0800, T wrote:

It is off by default.

It's been enabled by default in every W7 installation that I've
performed.

I configure a lot of them. It is turned off. I could
be misremembering though


It works well.

That may be so, but it's a security hole nonetheless.

Only because M$ is, in typical fashion, dragging its
feet on removing the 3des (sugar32) vulnerability.
If I EVER figure it out, I will report back

On 01/30/2017 10:29 PM, T wrote:
How do I disable 3DES on w7-pro?

Oh here is a rub. I an't model this on one of my W7 virtual
machines because I don't install the idiot updates to keep it
stable and the sugar 32 doesn't show up.

And, speaking of rubs, sugar32 doesn't show up on XP

And neither does it on xRDP on Fedora 25.

So much for keeping your updates updated (FUD).

T wrote:
On 01/30/2017 10:29 PM, T wrote:
How do I disable 3DES on w7-pro?

Oh here is a rub. I can't model this on one of my W7 virtual
machines because I don't install the idiot updates to keep it
stable and the sugar 32 doesn't show up.

Why don't you keep your Windows 7 updated ?

It would then be modeling an up-to-date machine,
and any testing you do, would take advantage of
any patches that come out.

You should gradually find Win7 easier to patch, as
the new patching scheme comes out. It should be reduced
to one jumbo patch per month.

Paul

On 02/05/2017 01:19 AM, Paul wrote:
T wrote:
On 01/30/2017 10:29 PM, T wrote:
How do I disable 3DES on w7-pro?

Oh here is a rub. I can't model this on one of my W7 virtual
machines because I don't install the idiot updates to keep it
stable and the sugar 32 doesn't show up.

Why don't you keep your Windows 7 updated ?

1) Extremely limited access to the Internet and high
security options all set on my AV

2) sits behind an extremely bad assed firewall which I wrote

3) I haven't got the patience for all the Bull S*** in
involved with idiot updates that quite often cause
far more damage than they heal. When I start
the damned thing, I HAS TO WORK.

And, no, do to the liability issues involved, I don't tell
my customer's to do the same thing


It would then be modeling an up-to-date machine,
and any testing you do, would take advantage of
any patches that come out.

I have access to several other W7 machines that are
all updated to pass PCI liability requirements
(notice I said "liability" and not "security"
requirements).

You should gradually find Win7 easier to patch, as
the new patching scheme comes out. It should be reduced
to one jumbo patch per month.

Heard that before. I really do hope M$ improves things
this time around! M$ is the only provider I come across with
this kind of poor quality control over their updates.

I update everything else. My Scientific Linux just
updates from 7.2 to 7.3. A pretty nice/major update.
I didn't even realize it had happened. It is the
difference between M$'s quality control and everyone
one else.


Paul