Follow the below steps to mitigate the CVE-2016-2183 affected DES and Triple DES ciphers in Windows OS:

Created by Rudresha Shivamallappa, Modified on Mon, 9 Dec at 5:42 PM by Ratheesh E K

Mitigating the CVE-2016-2183 vulnerability related to 3DES/DES DES and Triple DES ciphers, which are used in the TLS, SSH, IPSec protocols, and other protocols in different products is of utmost importance, particularly in the context of the Sweet32 attack. Sweet32 is a critical security threat that exploits weaknesses in cryptographic ciphers. The solution detailed below is essential for protecting against this specific attack and its potential consequences.

In the below-mentioned cases, our approach involves the use of PowerShell cmdlets and Group Policy Object (GPO) configurations to deactivate ciphers within the operating system, but as per Microsoft's documentation, the PowerShell cmdlet relies on Cryptography Next Generation (CNG) Cryptographic Configuration. It's essential to understand that the settings in the Schannel registry and configurations established by specific applications through the Security Support Provider Interface (SSPI) can potentially override the CNG Cryptographic Configuration. Furthermore, the settings located in the "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL" section determine the available cipher suites and, as a result, can influence the utilization of particular cipher suites.

Therefore, it's important to highlight that Schannel settings take precedence over GPO Cipher Suite configurations and the registry settings located at 'SYSTEM\ControlSet001\Control\Cryptography\Configuration\Local\SSL\00010002'. Regardless of whether a cipher suite has been configured through GPO, Schannel provides a direct means of deactivating ciphers, guaranteeing the enforcement of intended restrictions on cipher suites. The following steps can be followed to disable ciphers directly, without relying on PowerShell cmdlets or GPO settings.

Reference links:
https://learn.microsoft.com/en-us/powershell/module/tls/enable-tlsciphersuite?view=windowsserver2022-ps
https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/restrict-cryptographic-algorithms-protocols-schannel

Case 1: If GPO is not configured for TLS Cipher Suite Order

Disabling TLS Cipher using PowerShell cmdlet
Reference link: https://learn.microsoft.com/en-us/powershell/module/tls/disable-tlsciphersuite?view=windowsserver2022-ps

The "Disable-TlsCipherSuite" cmdlet allows you to deactivate a specific cipher suite. By using this cmdlet, you can eliminate the cipher suite from a set of cipher suites associated with the Transport Layer Security (TLS) protocol in your computer.

Here's an example on how to disable a 3DES cipher suite:

Disable-TlsCipherSuite -Name TLS_RSA_WITH_3DES_EDE_CBC_SHA

Before disabling the 3DES TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher:

After disabling the 3DES TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher:

Case 2: If GPO is configured for TLS Cipher Suite Order

Reference link: https://learn.microsoft.com/en-us/windows-server/security/tls/manage-tls

If a Group Policy Object (GPO) is configured to enforce the use of 3DES or DES ciphers, you can remove these ciphers from the cipher suite by following the steps below.

IMPORTANT NOTE: Modifying Group Policy settings requires administrative privileges and can have significant security implications. Ensure that you understand the implications and have appropriate backups or rollback plans before making changes.

Disabling 3DES/DES TLS Cipher by using Group Policy

1. From the Group Policy Management Console, go to Computer Configuration > Administrative Templates > Network > SSL Configuration Settings.

2. If you have not enabled it previously then double-click SSL Cipher Suite Order, and then click the Enabled option.

3. Right-click the SSL Cipher Suites box and select Select All from the pop-up menu.

4. Right-click the selected text and select copy from the pop-up menu.

5. Paste the text into a text editor such as notepad.exe and remove the 3DES/DES cipher from the comma-separated list.

6. Replace the list in the SSL Cipher Suites with the updated list.

7. Click OK or Apply.

To verify the removal of the cipher, use the below PowerShell command and ensure that it shouldn’t list any 3DES/DES cipher after running the command.
Get-TLSCipherSuite -Name DES

Before disabling the 3DES cipher:

After disabling the 3DES cipher:

Restrict the use of 3DES/DES cryptographic algorithms in Schannel.dll

The cipher’s registry key, which is under the SCHANNEL key, is used to control the use of symmetric algorithms in Windows OS.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\(VALUE)\(VALUE/VALUE)

Information on SCHANNEL Registry keys related to DES and 3DES Ciphers:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168:

This registry key is associated with 168-bit Triple DES, following the specifications of ANSI X9.52 and Draft FIPS 46-3. It's worth noting that this key is not applicable to the export version.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\ DES 56/56:

This registry key is associated with 56-bit DES, adhering to the specifications of FIPS 46-2. The implementation of this key in the Rsabase.dll and Rsaenh.dll files is validated under the FIPS 140-1 Cryptographic Module Validation Program.

Disable 3DES Cipher in SCHANNEL: To disable this cipher algorithm, change the DWORD value data of the Enabled value in the below registry key to 0x0, if you do not configure the Enabled value, the default is enabled.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168

Disabling this algorithm effectively disallows the following values:

• SSL_RSA_WITH_3DES_EDE_CBC_SHA

• SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA

• TLS_RSA_WITH_3DES_EDE_CBC_SHA

• TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA

Disable DES Cipher in SCHANNEL: To disable this cipher algorithm, change the DWORD value data of the Enabled value in the below registry key to 0x0, if you do not configure the Enabled value, the default is enabled.