Deactivating RC4 on IIS
RC4 is a stream cipher for bulk encryption that nowadays is considered as practically vulnerable and was officially deprecated by Internet Engineering Task Force.
- Open registry editor:
Win + R >> regedit
- Navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Ciphers
- Right-click on Ciphers >> New >> Key
![Hardening_14.jpg](https://Namecheap.simplekb.com/SiteContents/2-7C22D5236A4543EB827F3BD8936E153E/media/Hardening_14.jpg)
Name the key 'RC4 40/128'
- Right-click on RC4 40/128 >> New >> DWORD (32-bit) Value
![Hardening_15.jpg](https://Namecheap.simplekb.com/SiteContents/2-7C22D5236A4543EB827F3BD8936E153E/media/Hardening_15.jpg)
Name the value 'Enabled'
- Double-click the created Enabled value and make sure that there is zero (0) in Value Data: field >> click OK
![Hardening_16.jpg](https://Namecheap.simplekb.com/SiteContents/2-7C22D5236A4543EB827F3BD8936E153E/media/Hardening_16.jpg)
- Create two more keys with the names 'RC4 56/128' and 'RC4 128/128' in the Ciphers directory. Repeat steps 4 and 5 for each of them.
- After step 6 is completed, you should have three keys for RC4 in total in Ciphers. Each RC4 key should have the DWORD value named 'Enabled' with zero (0) value data.
![Hardening_17.jpg](https://Namecheap.simplekb.com/SiteContents/2-7C22D5236A4543EB827F3BD8936E153E/media/Hardening_17.jpg)
- You may need to restart Windows Server to apply the changes.