Views:

Symptoms

  • Vulnerability scan reports "SSL Medium Strength Cipher Suites Supported (SWEET32)" on the Trend Micro Apex Central server.
  • Security tools flag use of cipher suites with 64-bit block ciphers such as 3DES (e.g., TLS_RSA_WITH_3DES_EDE_CBC_SHA).
  • Potential exposure to birthday attacks after processing large amounts of encrypted data.

Root Cause

The SWEET32 vulnerability (CVE-2016-2183) affects SSL/TLS cipher suites that use 64-bit block ciphers like 3DES and Blowfish. These medium strength ciphers are enabled by default in some Windows Server configurations, including those hosting Trend Micro Apex Central, leading to security scan alerts.


Resolution

Since Trend Micro Apex Central relies on the underlying Windows Server SSL/TLS configuration, the vulnerability is addressed by disabling weak cipher suites at the OS level.

Step 1: Disable 3DES and Other Weak Ciphers via Windows Registry

  1. Open Command Prompt as Administrator.
  2. Execute the following commands to disable the 3DES and DES cipher suites: 
    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168" /v Enabled /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56" /v Enabled /t REG_DWORD /d 0 /f
  3. Restart the server to apply changes: 
    shutdown /r /t 0

For detailed information on configuring Schannel cipher suites on Windows Server, see the official Microsoft documentation on Cipher Suites in TLS/SSL (Schannel SSP).

Step 2: Configure IIS SSL/TLS Settings (If Trend Micro Apex Central Web Interface Uses IIS)

  1. Open Internet Information Services (IIS) Manager.
  2. Select the server node in the left pane.
  3. Double-click SSL Settings.
  4. Ensure only strong, modern cipher suites are enabled.
  5. For easier management, download and run IIS Crypto tool from the Nartac Software IIS Crypto repository.
  6. In IIS Crypto:
    • Go to the Cipher Suites tab.
    • Uncheck weak ciphers such as DES and 3DES (e.g., TLS_RSA_WITH_3DES_EDE_CBC_SHA).
    • Ensure TLS 1.2 and TLS 1.3 protocols are enabled and prioritized.
  7. Apply changes and restart IIS or the server as required.

Step 3: Use Group Policy to Enforce Strong Cipher Suites (Optional)

  1. Open Group Policy Editor (gpedit.msc).
  2. Navigate to: Computer Configuration > Administrative Templates > Network > SSL Configuration Settings
  3. Open SSL Cipher Suite Order policy.
  4. Modify the cipher suite list to exclude 3DES and other weak ciphers.
  5. Apply the policy and reboot the server.

Verification

  • After server restart, rerun the vulnerability scan to confirm that the "SSL Medium Strength Cipher Suites Supported (SWEET32)" warning no longer appears.
  • Use tools like Qualys SSL Labs or Nmap with the --script ssl-enum-ciphers option to verify only strong ciphers are enabled.
​​
 
These changes affect the underlying Windows Server SSL/TLS configuration and do not require modifications within Trend Micro Apex Central application settings. Always ensure TLS 1.2 or higher is enabled to maintain secure communications.

Learn more about disabling 3DES here: Disabling Triple DES (3DES) encryption on InterScan Messaging Security Virtual Appliance (IMSVA).

For information about connecting Trend Vision One™ to on-premise Trend Micro Apex Central, refer to Setting up connection to Trend Vision One™ for on-premise Apex Central.

Keywords: how to disable 3des cipher suites, sweet32 vulnerability fix windows, ssl tls cipher suite configuration, windows server schannel ciphers, removing medium strength ssl ciphers, iis crypto disable weak ciphers, how to configure tls cipher suites, apex central ssl vulnerability