Case 1: If GPO is not configured for TLS Cipher Suite Order

Reference link: https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/restrict-cryptographic-algorithms-protocols-schannel

Create the SCHANNEL ciphers subkey in the following format to disable the 3DES/DES cipher. The cipher’s registry key, which is under the SCHANNEL key, is used to control the use of symmetric algorithms in Windows OS.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\(VALUE)\(VALUE/VALUE)

Regarding the specific registry keys:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168:

    This registry key is associated with 168-bit Triple DES, following the specifications of ANSI X9.52 and Draft FIPS 46-3. It's worth noting that this key is not applicable to the export version.

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\ DES 56/56:

    This registry key is associated with 56-bit DES, adhering to the specifications of FIPS 46-2. The implementation of this key in the Rsabase.dll and Rsaenh.dll files is validated under the FIPS 140-1 Cryptographic Module Validation Program.

Disable 3DES Cipher: To disable this cipher algorithm, change the DWORD value data of the Enabled value in the below registry key to 0x0, if you do not configure the Enabled value, the default is enabled.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168

Disabling this algorithm effectively disallows the following values:

• SSL_RSA_WITH_3DES_EDE_CBC_SHA

• SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA

• TLS_RSA_WITH_3DES_EDE_CBC_SHA

• TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA

Disable DES Cipher: To disable this cipher algorithm, change the DWORD value data of the Enabled value in the below registry key to 0x0, if you do not configure the Enabled value, the default is enabled.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\ DES 56/56

Disabling this algorithm effectively disallows the following values:

• SSL_RSA_WITH_DES_CBC_SHA

• TLS_RSA_WITH_DES_CBC_SHA

Case 2: if GPO is configured for TLS Cipher Suite Order

Reference link: https://learn.microsoft.com/en-us/windows-server/security/tls/manage-tls

If the Group Policy Object (GPO) is configured, there is no requirement to perform registry settings for Schannel manually. This is because GPO takes precedence over registry settings, and it will automatically overwrite any conflicting registry configurations.

Disabling TLS Cipher Suite Order by using Group Policy

 1. From the Group Policy Management Console, go to Computer Configuration > Administrative Templates > Network > SSL Configuration Settings.

2. if you have not enabled it previously then double-click SSL Cipher Suite Order, and then click the Enabled option.

3. Right-click the SSL Cipher Suites box and select Select All from the pop-up menu.

4. Right-click the selected text and select copy from the pop-up menu.

5. Paste the text into a text editor such as notepad.exe and remove the 3DES/DES cipher from the comma-separated list.

6. Replace the list in the SSL Cipher Suites with the updated list.

7. Click OK or Apply.

To verify the removal of the cipher, use the below PowerShell command and ensure that it shouldn’t list any 3DES/DES cipher after running the command.
Get-TLSCipherSuite -Name DES

Before disabling the 3DES cipher:

After disabling the 3DES cipher: