Deactivating RC4 on IIS

RC4 is a stream cipher for bulk encryption that nowadays is considered as practically vulnerable and was officially deprecated by Internet Engineering Task Force.

1. Open registry editor:

   Win + R >> regedit

2. Navigate to:

   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Ciphers

3. Right-click on Ciphers >> New >> Key

   

   Name the key 'RC4 40/128'

4. Right-click on RC4 40/128 >> New >> DWORD (32-bit) Value

   

   Name the value 'Enabled'

5. Double-click the created Enabled value and make sure that there is zero (0) in Value Data: field >> click OK

   

6. Create two more keys with the names 'RC4 56/128' and 'RC4 128/128' in the Ciphers directory. Repeat steps 4 and 5 for each of them.
7. After step 6 is completed, you should have three keys for RC4 in total in Ciphers. Each RC4 key should have the DWORD value named 'Enabled' with zero (0) value data.

   

8. You may need to restart Windows Server to apply the changes.