Disable insecure ciphers

Works with Windows 10 and 11

Windows only
Multiple actions
Impact: Minimum
Batch (batchfile)
5 scripts
No subcategories
Administrator rights required
Fully reversible

Overview

This category improves network security by disabling outdated and less secure cipher suites.

Cipher suites are sets of cryptographic algorithms used to secure network connections ¹. They include ciphers, known as bulk encryption algorithms ¹ or simply bulk ciphers ². Ciphers encrypt messages exchanged between clients and servers ¹. Using outdated cipher suites exposes data to risks of interception and tampering during transmission ².

Disabling insecure ciphers meets security standards set by NIST ³, CIS ⁴, IRS ⁵, OWASP ⁶ and Germany's Federal Office for Information Security (BSI) ⁷. This enhances data confidentiality and integrity ⁴. It also protects against threats such as attackers exploiting cryptographic weaknesses, malicious insiders, state actors, and cybercriminals ⁸.

Caution

This may cause compatibility issues with older devices or software.

Safe for General Use

This script has Normal protection level option. This is recommended for all users to improve without any noticeable impact on the system functionality.

Sources

PrivacyLearn.com maintains strict sourcing standards for accuracy, integrity and up-to-date content. Our content relies on authoritative sources including vendor documentation, industry standards, and verified research. Learn more about our verification process and quality standards in our editorial standards page.

Cipher Suites in TLS/SSL (Schannel SSP) - Win32 apps. Microsoft Learn. learn.microsoft.com. (2024).
Original: https://learn.microsoft.com/en-us/windows/win32/secauthn/cipher-suites-in-schannel
Archived: https://web.archive.org/web/20240421101955/https://learn.microsoft.com/en-us/windows/win32/secauthn/cipher-suites-in-schannel
Recommendations for TLS/SSL Cipher Hardening. Acunetix. www.acunetix.com. (2024).
Original: https://www.acunetix.com/blog/articles/tls-ssl-cipher-hardening
Archived: https://web.archive.org/web/20240421102018/https://www.acunetix.com/blog/articles/tls-ssl-cipher-hardening/
Restrict cryptographic algorithms and protocols - Windows Server. Microsoft Learn. learn.microsoft.com. (2024).
Original: https://learn.microsoft.com/en-us/troubleshoot/windows-server/certificates-and-public-key-infrastructure-pki/restrict-cryptographic-algorithms-protocols-schannel
Archived: https://web.archive.org/web/20240420183152/https://learn.microsoft.com/en-us/troubleshoot/windows-server/certificates-and-public-key-infrastructure-pki/restrict-cryptographic-algorithms-protocols-schannel
CIS Microsoft IIS 8 Benchmark v1.4.0. paper.bobylive.com. (2024).
Original: https://paper.bobylive.com/Security/CIS/CIS_Microsoft_IIS_8_Benchmark_v1_4_0.pdf
Archived: https://web.archive.org/web/20240421101142/https://paper.bobylive.com/Security/CIS/CIS_Microsoft_IIS_8_Benchmark_v1_4_0.pdf
Encryption Requirements of Publication 1075. Internal Revenue Service. www.irs.gov. (2024).
Original: https://www.irs.gov/privacy-disclosure/encryption-requirements-of-publication-1075
Archived: https://web.archive.org/web/20240404112509/https://www.irs.gov/privacy-disclosure/encryption-requirements-of-publication-1075
WSTG - v4.2. OWASP Foundation. owasp.org. (2024).
Original: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html
Archived: https://web.archive.org/web/20240421101557/https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption.html
Hilfsmittel zur Umsetzung von Anforderungen des IT Grundschutzes für Windows 10. Bundesamt für Sicherheit in der Informationstechnik. bsi.bund.de. (2024).
Original: https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Hilfsmittel/Hilfsmittel_Anforderungen_des_IT_Grundschutzes_fuer_Windows_10.pdf
Archived: https://web.archive.org/web/20240402183249/https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/Hilfsmittel/Hilfsmittel_Anforderungen_des_IT_Grundschutzes_fuer_Windows_10.pdf?__blob=publicationFile&v=2
M10: Insufficient Cryptography. OWASP Foundation. owasp.org. (2024).
Original: https://owasp.org/www-project-mobile-top-10/2023-risks/m10-insufficient-cryptography
Archived: https://web.archive.org/web/20240421102031/https://owasp.org/www-project-mobile-top-10/2023-risks/m10-insufficient-cryptography

Apply Now

Choose one of two ways to apply:

Download script

Download and run the script directly

No app needed
Offline usage
Easy-to-apply
Free
Open-source

Normal
High

Normal — Everyday Privacy (Enterprise-Grade)

Recommended for all
Safe for daily use
No impact on system stability

Apply protection

Undo protection

Help

How to apply or restore "Disable insecure ciphers" using script

≈ 2 min to complete
Tools: Web Browser
Difficulty: Simple
≈ 6 instructions

1
Choose protection
Choose one of the options with different impact levels:
- Normal
  Some safe changes minimal system impact.
- High
  Some potentially impactful changes with moderate system impact.
2
Download
Download the script file by clicking on the Apply protection button above.
Use Undo protection button above to restore changes.
3
Keep the file
If warned by your browser, keep the file.
4
Open
Open the downloaded file.
5
Exit
Once it's done, press any key to exit the window.
6
Restart
Restart your computer for all changes to take effect.

Apply with privacy.sexy

Guided, automated application with safety checks

Recommended for most users
Includes safety checks
Shows the code
Free
Open-source
Popular
Offline/Online usage

Open privacy.sexy

Help

How to apply or restore "Disable insecure ciphers" using privacy.sexy

≈ 3 min to complete
Tools: privacy.sexy
Difficulty: Simple
≈ 4 instructions

privacy.sexy is free and open-source application that lets securely apply this action easily with more advanced options.

1
Open or download
Open or download the desktop application
2
Choose script
1. Search for the category name: Disable insecure ciphers
2. Check the category by clicking on the checkbox of the category.
Applying Normal to limit the impact.
3
Run
Click on ▶️ Run button at the bottom of the page.
This button only appears on desktop version (recommended). On browser, use 💾 Save button.

Explore This Guide

5 Privacy settings

Choose what to protect based on your needs:

Click any option to learn more about what it does.

Each change can be applied and reversed individually.

Some settings and commands may require technical knowledge to apply correctly.
Most users find the Normal protection above sufficient.

Disable insecure "RC2" ciphers
This script disables RC2 ciphers. This script only affects the SSL/TLS handshake process. The SSL/TLS handshake is a key part of establishing a secure connection over the internet. By disabling this weak algorithm, the script improves the security of the connection. Authorities like Microsoft, NIST (FIPS), CIS, Federal Office for Information Security (BSI), OWASP, and NSA (National Security Agency) classify this algorithm as weak and recommend against its use. By disabling RC2, the script en...

Disable insecure "RC4" ciphers
This script disables the RC4 ciphers. This script only affects the SSL/TLS handshake process. The SSL/TLS handshake is a key part of establishing a secure connection over the internet. By disabling this weak algorithm, the script improves the security of the connection. Authorities like Microsoft, NIST (FIPS), CIS, Federal Office for Information Security (BSI), OWASP, and NSA (National Security Agency) classify this algorithm as weak and recommend against its use. This script disables these ...

Disable insecure "DES" cipher
This script disables the "DES 56/56" cipher, also known as DES 56 or 56-bit DES. This script only affects the SSL/TLS handshake process. The SSL/TLS handshake is a key part of establishing a secure connection over the internet. By disabling this weak algorithm, the script improves the security of the connection. Authorities like Microsoft, NIST (FIPS), CIS, Federal Office for Information Security (BSI), OWASP, and NSA (National Security Agency) consider this cipher weak and either discou...

Disable insecure "Triple DES" cipher
This script disables the "Triple DES 168" ("Triple DES 168/168" before Windows Vista) cipher, also known as 3DES, The Triple Data Encryption Algorithm (TDEA) and TDES. This script only affects the SSL/TLS handshake process. The SSL/TLS handshake is a key part of establishing a secure connection over the internet. By disabling this weak algorithm, the script improves the security of the connection. Authorities like Apple, NIST Federal Office for Information Security (BSI), NSA (Nation...

Disable insecure "NULL" cipher
This script disables the "NULL" cipher. This script only affects the SSL/TLS handshake process. The SSL/TLS handshake is a key part of establishing a secure connection over the internet. By disabling this weak algorithm, the script improves the security of the connection. This algorithm provides no encryption, leaving data completely unprotected. Authorities like Microsoft, NIST (FIPS), CIS, and Federal Office for Information Security (BSI), NSA (National Security Agency) classify this algor...

Similar Guides

Wider Goal

Guides below includes this guide to achieve a wider goal.

Disable insecure connections
Improve network security
Security improvements

This category includes scripts designed to enhance users' security and privacy by disabling outdated or vulnerable connections across the system. It safeguards dat...

Visit category page

Same Goal

Other guides in Disable insecure connections

Disable insecure hashes

Disable insecure protocols

Disable insecure renegotiation

Disable insecure connections from .NET apps

About the Creators

These people have authored this documentation and written its scripts:

undergroundwires
- Certified security professional
- 7+ years experience securing banks
- Open-source developer since 2005
- EU advisor, Public Speaker, Moderator
Open-Source Contributors
- Hundreds across the globe
- Testers, reviewers, developers
- Companies, military agencies
- Community since 2017

About Us

Reviewed By

This guide has undergone comprehensive auditing and peer review:

Expert review by undergroundwires
- Verified technical accuracy and editorial standards
- Assessed system impact and user privacy risks
Public review by large community
- Privacy enthusiasts and professionals peer-reviewed
- Millions of end-users tested across different environments

History

We continually monitor our guides, their impact and all other privacy options. We update our guides when new information becomes available. On every update, we publicly store who made the change, what has been changed, why the change was made and when the change was made.

Review Change History Our Change Process

Overview​

Apply Now​

Download script​

Normal — Everyday Privacy (Enterprise-Grade)​

High — Advanced Privacy​

How to apply or restore "Disable insecure ciphers" using script​

Choose protection

Normal

High

Download

Keep the file

Open

Exit

Restart

Apply with privacy.sexy​

How to apply or restore "Disable insecure ciphers" using privacy.sexy​

Open or download

Choose script

Run

Explore This Guide​

Disable insecure "RC2" ciphers

Disable insecure "RC4" ciphers

Disable insecure "DES" cipher

Disable insecure "Triple DES" cipher

Disable insecure "NULL" cipher

Similar Guides​

Wider Goal​

Same Goal​

About the Creators​

Reviewed By​

Expert review by undergroundwires​

Public review by large community​

History​