SSL Cipher Suite Policies Windows Server 2016

Question

_{Monday, September 5, 2016 7:59 AM}

Hello everyone,

I'm currently preparing our "hardening" concept for Windows Server 2016 and have some questions about SSL Cipher Suite Order:

There are three different Registry Keys where you can set a Cipher Suite Order.

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002!Functions]
[HKLM\Software\Policies\Microsoft\Windows\LanmanServer!CipherSuiteOrder]
[HKLM\Software\Policies\Microsoft\Windows\LanmanWorkstation!CipherSuiteOrder]

The first key is where the company I work did set it in the past on Windows Server 2012 R2.
They didn't set it in any of the LanmanServer or LanmanWorkstation keys.

Is it correct that the lanman... keys are only in connection with SMB used and the first key affects allSSL/TLS based technologies on the system?

So that would mean if you set it in the first key you dont have to specify it again in the lanman... keys?

Thanks in advance and best regards,
Ville

All replies (2)

_{Tuesday, September 6, 2016 8:27 AM ✅Answered}

Hi,

>>So that would mean if you set it in the first key you dont have to specify it again in the lanman... keys?

It was same as set in local group policy(Computer Configuration->Administrative Templates->Network->SSL Configuration Settings->SSL Cipher Suite Order).You don't need to set it in lanman.. again.

*REF:*Prioritizing Schannel Cipher Suites

https://msdn.microsoft.com/en-us/library/windows/desktop/bb870930(v=vs.85).aspx

________________________________________
Best Regards,
Cartman
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected].

_{Tuesday, September 6, 2016 9:36 AM}

Hi Cartman,

thanks for your answer!

cheers,

Ville