Microsoft security advisory: Update for disabling RC4

INTRODUCTION

Microsoft has released a Microsoft security advisory about this issue for IT professionals. The security advisory contains additional security-related information. To view the security advisory, go to the following Microsoft website:

Resolution

The following files are available for download from the Microsoft Download Center:

For all supported x86-based versions of Windows 7

Download Download the package now.

For all supported x64-based versions of Windows 7

Download Download the package now.

For all supported x86-based versions of Windows Embedded Standard 7

Download Download the package now.

For all supported x64-based versions of Windows Embedded Standard 7

Download Download the package now.

For all supported x64-based versions of Windows Server 2008 R2

Download Download the package now.

For all supported IA-64-based versions of Windows Server 2008 R2

Download Download the package now.

For all supported x86-based versions of Windows 8

Download Download the package now.

For all supported x64-based versions of Windows 8

Download Download the package now.

For all supported x64-based versions of Windows Server 2012

Download Download the package now.

Release Date: November 10, 2013

For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

More Information

How to completely disable RC4

Notes
  • You must install this security update (2868725) before you make the following registry change to completely disable RC4.
  • This security update applies to the versions of Windows listed in in this article. However, this registry setting can also be used to disable RC4 in newer versions of Windows.


Clients and servers that do not want to use RC4 regardless of the other party’s supported ciphers can disable RC4 cipher suites completely by setting the following registry keys. In this manner, any server or client that is talking to a client or server that must use RC4 can prevent a connection from occurring. Clients that deploy this setting will be unable to connect to sites that require RC4, and servers that deploy this setting will be unable to service clients that must use RC4.
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
    "Enabled"=dword:00000000
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
    "Enabled"=dword:00000000
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
    "Enabled"=dword:00000000
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
245030 How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll

How other applications can prevent the use of RC4-based cipher suites

RC4 is not turned off by default for all applications. Applications that call in to SChannel directly will continue to use RC4 unless they opt in to the security options. Applications that use SChannel can block RC4 cipher suites for their connections by passing the SCH_USE_STRONG_CRYPTO flag to SChannel in the SCHANNEL_CRED structure. If compatibility must be maintained, applications that use SChannel can also implement a fallback that does not pass this flag.

FILE INFORMATION

The English (United States) version of this software update installs files that have the attributes that are listed in the following tables. The dates and times for these files are listed in Coordinated Universal Time (UTC). The dates and times for these files on your local computer are displayed in your local time and with your current daylight saving time (DST) bias. Additionally, the dates and times may change when you perform certain operations on the files.
Windows 7 and Windows Server 2008 R2 file information
Windows 8 and Windows Server 2012 file information
File hash information
Properties

Article ID: 2868725 - Last Review: Nov 10, 2016 - Revision: 1

Feedback