7.14 Ensure TLS Cipher Suite ordering is configured

Information

Cipher suites are a named combination of authentication, encryption, message authentication code, and key exchange algorithms used for the security settings of a network connection using TLS protocol. Clients send a cipher list and a list of ciphers that it supports in order of preference to a server. The server then replies with the cipher suite that it selects from the client cipher suite list.

Cipher suites should be ordered from strongest to weakest in order to ensure that the more secure configuration is used for encryption between the server and client.

Solution

To order the cipher suites correctly, ensure the following key is set to:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
HKLM\System\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002\Functions

See Also

https://workbench.cisecurity.org/files/165

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-13

Plugin: Windows

Control ID: a517f2a980247cd35664d5e4cc6f684502ff3b1f0aaeea02003f6d9b608ea97a