If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
|
Thread Tools | Rate Thread | Display Modes |
#1
|
|||
|
|||
How do I disable 3DES?
How do I disable 3DES on w7-pro?
|
Ads |
#2
|
|||
|
|||
How do I disable 3DES?
On Mon, 30 Jan 2017 22:29:57 -0800, T wrote:
How do I disable 3DES on w7-pro? It'd depend on the application that use that encryption algorithm. If you meant the algorithm itself, then no. You can't. It's non configurable. Unless you're familiar with software hacking. |
#3
|
|||
|
|||
How do I disable 3DES?
On Mon, 30 Jan 2017 22:29:57 -0800
T wrote: How do I disable 3DES on w7-pro? 223 at your local range |
#4
|
|||
|
|||
How do I disable 3DES?
On 01/31/2017 02:55 AM, JJ wrote:
On Mon, 30 Jan 2017 22:29:57 -0800, T wrote: How do I disable 3DES on w7-pro? It'd depend on the application that use that encryption algorithm. If you meant the algorithm itself, then no. You can't. It's non configurable. Unless you're familiar with software hacking. How do I get rid of it from remote desktop support (RDP)? |
#5
|
|||
|
|||
How do I disable 3DES?
On 01/31/2017 05:00 AM, burfordTjustice wrote:
On Mon, 30 Jan 2017 22:29:57 -0800 T wrote: How do I disable 3DES on w7-pro? 223 at your local range 223. Huh? Pin scratch. This would be far more effective: https://www.youtube.com/watch?v=C1ZCC-fTlbc |
#6
|
|||
|
|||
How do I disable 3DES?
T wrote:
On 01/31/2017 02:55 AM, JJ wrote: On Mon, 30 Jan 2017 22:29:57 -0800, T wrote: How do I disable 3DES on w7-pro? It'd depend on the application that use that encryption algorithm. If you meant the algorithm itself, then no. You can't. It's non configurable. Unless you're familiar with software hacking. How do I get rid of it from remote desktop support (RDP)? You probably saw this in your search results. https://social.technet.microsoft.com...2?forum=winRDc "ascertain whether your system meets the conditions for a SWEET32 attack (more than 768GB sent in a single session) and whether disabling 3DES is worth removing RDP capability. Other utilities exist to manage servers beyond RDP especially in a world where virtualization is highly commonplace." Another thread mentions this. I'd rather be fiddling with the registry setting directly and checking the log, for this specific item. Maybe you can set up a test machine and verify this does something useful ? I don't see how this would fix anything, if the OS settings are conflicted (FIPS setting overriding stuff). https://www.nartac.com/Products/IISCrypto https://www.nartac.com/Blog/post/201...-updated1.aspx Paul |
#7
|
|||
|
|||
How do I disable 3DES?
On 01/31/2017 11:28 PM, Paul wrote:
T wrote: On 01/31/2017 02:55 AM, JJ wrote: On Mon, 30 Jan 2017 22:29:57 -0800, T wrote: How do I disable 3DES on w7-pro? It'd depend on the application that use that encryption algorithm. If you meant the algorithm itself, then no. You can't. It's non configurable. Unless you're familiar with software hacking. How do I get rid of it from remote desktop support (RDP)? You probably saw this in your search results. I did. https://social.technet.microsoft.com...2?forum=winRDc "ascertain whether your system meets the conditions for a SWEET32 attack (more than 768GB sent in a single session) and whether disabling 3DES is worth removing RDP capability. Other utilities exist to manage servers beyond RDP especially in a world where virtualization is highly commonplace." I did find that. Wasn't too impressed. It was also on a server, not a workstation. Another thread mentions this. I'd rather be fiddling with the registry setting directly and checking the log, for this specific item. Maybe you can set up a test machine and verify this does something useful ? I don't see how this would fix anything, if the OS settings are conflicted (FIPS setting overriding stuff). https://www.nartac.com/Products/IISCrypto https://www.nartac.com/Blog/post/201...-updated1.aspx nartac doesn't run on W7. It is a server only product. "Specifically", I am trying to kill this error report: nmap -p aaaa -Pn --script +ssl-enum-ciphers www.xxx.yyy.zzz --script ssl-cert | warnings: | 64-bit block cipher 3DES vulnerable to SWEET32 attack I did find some registry keys to try, but haven't had a chance to get back to it This is one of those idiot security issues M$ ddddddrags their feet on fixing. Ran the above on a Fedora Core 25 xRDP server and it passed with flying colors. Worst case, I have to set up tunnels. Customer won't be pleased with the extra hassle. Thank you for the help! -T |
#8
|
|||
|
|||
How do I disable 3DES?
On 01/30/2017 10:29 PM, T wrote:
How do I disable 3DES on w7-pro? But, but, but, but, this fix also ruins your ability to run Remote Desktop (RDP, MSTSC). So POOP! (Not my "exact" word.) Okay, here is how to disable it and rid yourself of the NMap tag for 3DES and SUGAR32 -- gedit.msc (group policy editor) -- Computer Configuration -- Administrative Templates -- Network -- SSL Configuration Settings How to modify this setting: 1. Open a blank notepad document. 2. Copy and paste the list of available suites into it. 3. Arrange the suites in the correct order; remove any suites you don't want to use. 4. Place a comma at the end of every suite name except the last. Make sure there are NO embedded spaces. 5. Remove all the line breaks so that the cipher suite names are on a single, long line. 6. Copy the cipher-suite line to the clipboard, then paste it into the edit box. The maximum length is 1023 characters. |
#9
|
|||
|
|||
How do I disable 3DES?
Why on earth would one want to run allow 'Remote Desktop' to run? It's
a significant security hole and just about the first thing I disable in any new installation of Windows. On Wed, 1 Feb 2017 18:32:16 -0800, T wrote: But, but, but, but, this fix also ruins your ability to run Remote Desktop (RDP, MSTSC). -- ================================================== ====== Please always reply to ng as the email in this post's header does not exist. Or use a contact address at: http://www.macfh.co.uk/JavaJive/JavaJive.html http://www.macfh.co.uk/Macfarlane/Macfarlane.html |
#10
|
|||
|
|||
How do I disable 3DES?
On Wed, 1 Feb 2017 18:32:16 -0800, T wrote: But, but, but, but, this fix also ruins your ability to run Remote Desktop (RDP, MSTSC). On 02/02/2017 04:36 AM, Java Jive wrote: Why on earth would one want to run allow 'Remote Desktop' to run? It's a significant security hole and just about the first thing I disable in any new installation of Windows. It is off by default. It works well. |
#11
|
|||
|
|||
How do I disable 3DES?
On Sat, 4 Feb 2017 14:16:52 -0800, T wrote:
It is off by default. It's been enabled by default in every W7 installation that I've performed. It works well. That may be so, but it's a security hole nonetheless. -- ================================================== ====== Please always reply to ng as the email in this post's header does not exist. Or use a contact address at: http://www.macfh.co.uk/JavaJive/JavaJive.html http://www.macfh.co.uk/Macfarlane/Macfarlane.html |
#12
|
|||
|
|||
How do I disable 3DES?
On 02/04/2017 03:40 PM, Java Jive wrote:
On Sat, 4 Feb 2017 14:16:52 -0800, T wrote: It is off by default. It's been enabled by default in every W7 installation that I've performed. I configure a lot of them. It is turned off. I could be misremembering though It works well. That may be so, but it's a security hole nonetheless. Only because M$ is, in typical fashion, dragging its feet on removing the 3des (sugar32) vulnerability. If I EVER figure it out, I will report back |
#13
|
|||
|
|||
How do I disable 3DES?
On 01/30/2017 10:29 PM, T wrote:
How do I disable 3DES on w7-pro? Oh here is a rub. I an't model this on one of my W7 virtual machines because I don't install the idiot updates to keep it stable and the sugar 32 doesn't show up. And, speaking of rubs, sugar32 doesn't show up on XP And neither does it on xRDP on Fedora 25. So much for keeping your updates updated (FUD). |
#14
|
|||
|
|||
How do I disable 3DES?
T wrote:
On 01/30/2017 10:29 PM, T wrote: How do I disable 3DES on w7-pro? Oh here is a rub. I can't model this on one of my W7 virtual machines because I don't install the idiot updates to keep it stable and the sugar 32 doesn't show up. Why don't you keep your Windows 7 updated ? It would then be modeling an up-to-date machine, and any testing you do, would take advantage of any patches that come out. You should gradually find Win7 easier to patch, as the new patching scheme comes out. It should be reduced to one jumbo patch per month. Paul |
#15
|
|||
|
|||
How do I disable 3DES?
On 02/05/2017 01:19 AM, Paul wrote:
T wrote: On 01/30/2017 10:29 PM, T wrote: How do I disable 3DES on w7-pro? Oh here is a rub. I can't model this on one of my W7 virtual machines because I don't install the idiot updates to keep it stable and the sugar 32 doesn't show up. Why don't you keep your Windows 7 updated ? 1) Extremely limited access to the Internet and high security options all set on my AV 2) sits behind an extremely bad assed firewall which I wrote 3) I haven't got the patience for all the Bull S*** in involved with idiot updates that quite often cause far more damage than they heal. When I start the damned thing, I HAS TO WORK. And, no, do to the liability issues involved, I don't tell my customer's to do the same thing It would then be modeling an up-to-date machine, and any testing you do, would take advantage of any patches that come out. I have access to several other W7 machines that are all updated to pass PCI liability requirements (notice I said "liability" and not "security" requirements). You should gradually find Win7 easier to patch, as the new patching scheme comes out. It should be reduced to one jumbo patch per month. Heard that before. I really do hope M$ improves things this time around! M$ is the only provider I come across with this kind of poor quality control over their updates. I update everything else. My Scientific Linux just updates from 7.2 to 7.3. A pretty nice/major update. I didn't even realize it had happened. It is the difference between M$'s quality control and everyone one else. Paul |
|
Thread Tools | |
Display Modes | Rate This Thread |
|
|