How to disable RC4 in Windows 2012?

RC4 is not disabled by default in Server 2012 R2. It only has "the functionality to restrict the use of RC4" build in. You will have to set the required registry keys by your own:

The RC4 cipher can be completely disabled on Windows platforms by setting the "Enabled" (REG_DWORD) entry to value 00000000 in the following registry locations: • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128 • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128 • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128

https://social.technet.microsoft.com/Forums/en-US/faad7dd2-19d5-4ba0-bd3a-fc724d234d7b/how-to-diable-rc4-is-windows-2012-r2?forum=winservergen


As you're using Windows Server 2012 R2 RC4 is disabled by default.

Citation:

Does this update apply to Windows 8.1, Windows Server 2012 R2, or Windows RT 8.1?
No. This update does not apply to Windows 8.1, Windows Server 2012 R2, or Windows RT 8.1 because these operating systems already include the functionality to restrict the use of RC4.

Technet Article.


For anyone who wants to do this using powershell, it is a bit trickier than other registry keys because of the forward slash in the key names. I used the following fragment to get it to work:

$schannel = Get-Item HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
$ciphers = $schannel.OpenSubKey('Ciphers', $true)
$key = $ciphers.CreateSubKey('RC4 40/128')
$key.SetValue('Enabled', 0x0)
$key = $ciphers.CreateSubKey('RC4 56/128')
$key.SetValue('Enabled', 0x0)
$key = $ciphers.CreateSubKey('RC4 128/128')
$key.SetValue('Enabled', 0x0)

One item to take note of, you have to open $ciphers as a subkey with the second parameter set to true so that you can actually write to it. Get-Item seems to give back a read only copy and CreateSubKey will fail unless you have a writable key object. There is more discussion about path elements in a subkey here.