Start a conversation

What is MS14-066 (KB2992611) and what is the problem with it?

Microsoft released a patch on November 11, 2014 to address a vulnerability in SChannel that could allow remote code execution. This patch included 4 new cipher suites for Windows Server versions 2008 through 2012 R2. Previously only Windows Server 2012 R2 had these cipher suites. On November 16, Microsoft updated the advisory stating that they found an issue with the new cipher suites they introduced. If you have applied this patch and are running into connection issues with clients, the work around is to disable the following cipher suites: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384 and TLS_RSA_WITH_AES_128_GCM_SHA256. You can do this in the latest version of IIS Crypto by unchecking those cipher suites, clicking Apply and rebooting your server. More information can be found here.

On November 18, 2014 Microsoft updated MS14-066 to remove the cipher suites from the default cipher suite list for Windows Server 2008 R2 and Windows Server 2012. Windows Server 2012 R2 does not get the update. If you run into any connection issues, uncheck the listed cipher suites in IIS Crypto.

Choose files or drag and drop files