RC4 (Rivest Cipher 4) has been flagged as vulnerable to multiple cryptographic attacks, prompting Microsoft to deprecate it in modern Windows versions. While KB2868725 provides official guidance, many administrators find the registry keys missing by default.
When the RC4 cipher keys aren't present in the SCHANNEL registry path, you'll need to create them manually:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
"Enabled"=dword:00000000
For domain environments, consider using Group Policy instead:
1. Open Group Policy Management Console
2. Navigate to: Computer Configuration > Policies > Administrative Templates > Network > SSL Configuration Settings
3. Enable "SSL Cipher Suite Order" policy
4. Remove all RC4_* ciphers from the list
5. Apply to relevant OUsAfter implementation, verify using these PowerShell commands:
# Check active cipher suites
Get-TlsCipherSuite | Format-Table Name
# Test specific RC4 availability
Test-NetConnection -ComputerName localhost -Port 443 -InformationLevel Detailed |
Select-Object -Property *Cipher*
If the update isn't showing in Windows Update history, try these steps:
# Manual installation from Microsoft Catalog:
1. Download from https://www.catalog.update.microsoft.com
2. Search for KB2868725
3. Select appropriate architecture version
4. Install via dism:
dism /online /add-package /packagepath:C:\path\to\update.msu
For web servers, additional IIS modifications may be required:
# In applicationHost.config:
When attempting to disable RC4 in Windows Server 2012, you'll notice the registry path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC* doesn't exist by default. This is because these keys need to be created manually when hardening SSL/TLS configurations.
To properly disable RC4, you'll need to create the following registry structure:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/56]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlWSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
"Enabled"=dword:00000000
You can either create these manually using regedit or save the above as a .reg file and import it.
The security update KB2868725 might not appear in Windows Update history because:
- It might have been superseded by later cumulative updates
- It could be part of a rollup package
- Your server might already have the necessary Schannel changes
To verify if the protections are in place, check your system's cipher suites with:
Get-TlsCipherSuite | Format-Table Name
For more comprehensive security:
# Using PowerShell to disable RC4 across all protocols
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128' -Name 'Enabled' -Value 0
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/56' -Name 'Enabled' -Value 0
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/56' -Name 'Enabled' -Value 0
After making changes, test your server's configuration with:
Test-NetConnection -ComputerName localhost -Port 443 | fl
And verify using external tools like Nmap or SSL Labs' SSL Test.