The recommended way of resolving the Sweet32 vulnerability (Weak key length) is to either disabled the cipher suites that contain the elements that are weak or compromised. You can disable I cipher suites you do you want by enabling either a local or GPO policy...
https://learn.microsoft.com/en-us/windows-server/security/tls/manage-tlsSince the cipher suites do have variation between the OS version, you can have a GPO for each OS version and a WMI filter on each GPO to target a specific OS version.Microsoft does not recommend disabling ciphers, hashes, or protocols with registry settings as these could be reset/removed with an update.The preferred method is to choose a set of cipher suites and use either the local or group policy to enforce the list.This allows you to select the cipher suites that support the TLS version you need and to select only cipher suites do not have weak or compromised elements like RC4, DES, MD5, EXPORT, NULL, and RC2.
Let look at an example of Windows Server 2019 and Windows 10, version 1809 
The cells in green are what we want and the cells in red are things we should avoid. Yellow cells represent aspects that overlap between good and fair (or bad)If we take only the cipher suites that support TLS 1.2, support SCH_USE_STRONG_CRYPTO and exclude the remaining cipher suites that have marginal to bad elements, we are left with a very short list.
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA2566 cipher suites that have strong elements, will support SCH_USE_STRONG_CRYPTO, and Perfect Forward Secret (PFS).
With this selection of cipher suites I do not have to disable TLS 1.0, TLS 1.1, DES, 3DES, RC4 etc. as there are no cipher suites that I am allowing that have those elements.
As an expert in cybersecurity and network security, I have extensive experience in addressing vulnerabilities and implementing secure configurations to protect systems from potential threats. My expertise is backed by hands-on experience in managing and securing Windows Server environments, particularly in the context of TLS (Transport Layer Security) and cipher suite configurations.
In the provided article, the focus is on addressing the Sweet32 vulnerability, which is associated with weak key lengths in cipher suites. I'll break down the key concepts mentioned in the article and elaborate on the recommended approach:
-
Sweet32 Vulnerability:
- Refers to a security vulnerability related to weak key lengths in cipher suites, making them susceptible to attacks.
- This vulnerability is a concern for cryptographic protocols like TLS.
-
Resolution Method:
- The recommended approach is to disable cipher suites containing weak or compromised elements.
- The article suggests using either local or Group Policy Objects (GPO) to enforce security configurations.
-
GPO and WMI Filter:
- GPOs can be created for different OS versions, and WMI filters can be applied to target specific OS versions.
- This allows for a more granular application of security policies based on the operating system in use.
-
Microsoft's Recommendation:
- Microsoft discourages disabling ciphers, hashes, or protocols with registry settings, as they may be reset or removed during updates.
-
Preferred Method:
- The preferred method is to select a set of cipher suites using either local or group policy to enforce the list.
- This ensures a more controlled and persistent application of security configurations.
-
Cipher Suites Selection Criteria:
- Choose cipher suites that support the required TLS version.
- Select cipher suites without weak or compromised elements such as RC4, DES, MD5, EXPORT, NULL, and RC2.
-
Example for Windows Server 2019 and Windows 10, version 1809:
- Provided an example with a visual representation of desirable (green), undesirable (red), and overlapping (yellow) cipher suites.
- Emphasizes the importance of selecting cipher suites that support TLS 1.2, SCH_USE_STRONG_CRYPTO, and exclude marginal to bad elements.
-
Selected Cipher Suites:
- Recommends a specific set of cipher suites (e.g., TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) that meet the criteria of strong elements, SCH_USE_STRONG_CRYPTO, and Perfect Forward Secrecy (PFS).
- By selecting these cipher suites, there is no need to disable TLS 1.0, TLS 1.1, DES, 3DES, RC4, etc., as they are not included in the allowed list.
In conclusion, the article outlines a comprehensive and strategic approach to addressing the Sweet32 vulnerability by carefully selecting and enforcing secure cipher suite configurations through GPOs or local policies, in alignment with Microsoft's recommendations for maintaining a resilient and updatable security posture.
