Guest User

Strict TLS 1.2 DHE on .NET, ISS, Windows Update, CryptoAPI

a guest
Apr 13th, 2018
947
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Windows Registry Editor Version 5.00
  2.  
  3. Download ISScrypto to change your windows settings. https://www.nartac.com/Products/IISCrypto/
  4.  
  5. Everything will import perfectly into your windows installation; this was designed for a Windows 7 Machine; I suspect it compatible with windows 10; check the hass.de link below for extra info on win 10 ciphers.
  6.  
  7. Very strict rules here; designed for clients, workstations, standalone machines, less for servers but its possible if your clients are configured properly. If you run the windows update that depreciates sha1 it will totally change your cipher suite list so make sure you update your setup; run iiscrypto to confirm; you can eliminate 3DES, RC4, and NULL, they are strictly worse than AES. And NULL is obviously not useful either when you're interested in confidentiality, there is none with this cipher.
  8.  
  9. Make sure you do a system restore before running this just to be safe!
  10. (update there is an awesome script here though uses weaker ciphers than I do, and I offer several enhancements: https://www.hass.de/content/setup-your-iis-ssl-perfect-forward-secrecy-and-tls-12
  11.  
  12. Windows 8 comes with 1.1-1.2 already enabled; you can harden it better with this perhaps.
  13.  
  14. Microsoft: Warning The DisabledByDefault value in the registry keys under the Protocols key does not take precedence over the grbitEnabledProtocols value that is defined in the SCHANNEL_CRED structure that contains the data for an Schannel credential. (I could not find this in windows 7 SP1 Pro)
  15.  
  16. For the Schannel.dll file to recognize any changes under the SCHANNEL registry key, you must restart the computer.
  17.  
  18. Also although windows did initially list all ciphers automatically when enabling ssl priority under group policy; copying them and trying to paste them back in to the same field resulted in only 2/3'ds of the ciphers fitting in the dialogue box, (GP 1023 character limit / bug) I was forced to add them back in to the registry key manually. Info Here: https://superuser.com/questions/759065/how-to-overcome-local-group-policy-editors-1023-character-limit I did manage to get windows working properly with the weakest ciphers removed from the list. There were schannel errors in event viewer. It does not delineate what program or service failed. May have been internet explorer; but according to microsoft this does not matter, so log as windows functions properly, in fact it ts a sign that you are safer. Most people disable the event notifications.
  19.  
  20. These are the 6 keys I updated in my registry:
  21.  
  22. HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002
  23. HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Microsoft\Cryptography\Configuration\SSL\00010002
  24. x4 HKEY_USERS\S-1-5-21-2240875929-447784991-1091042645-1000\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{********-****-****-****-************}Machine\Software\Policies\Microsoft\Cryptography\Configuration\SSL\00010002
  25.  
  26. For the group policy objects; gotta enable ssl cipher suite order; and search the registry for the exact default string that apppears and replace.
  27.  
  28. Windows 7 Defaults:
  29.  
  30. TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_NULL_SHA256,TLS_RSA_WITH_NULL_SHA,SSL_CK_RC4_128_WITH_MD5,SSL_CK_DES_192_EDE3_CBC_WITH_MD5
  31.  
  32. To use only the ciphers you want:
  33.  
  34. Run Gpedit.msc / Expand Computer Configuration -> Administrative Templates -> Network and select SSL Configuration Settings (enable it, copy the default windows list, apply gpo setting; then search your registry the exact string you copied; then import your own list via registry; this is what I successfully used (perfect forward secrecy only):
  35.  
  36. TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384_P521,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256_P521,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256_P384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256_P256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384_P521,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384_P384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256_P521,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256_P384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256
  37.  
  38. Check IISCrypto and you'll see it reflected there also, if you updated all the necessary registry keys.
  39. =====================================
  40.  
  41. Enable TLS 1.2 On all .NET 2.0, 3.5, 4.5+ apps (client)
  42.  
  43. [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727]
  44. "SystemDefaultTlsVersions"=dword:00000001
  45.  
  46. [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
  47. "SystemDefaultTlsVersions"=dword:00000001
  48.  
  49. =====================================
  50.  
  51.  
  52. Verify if hotfix KB3140245 is installed.
  53.  
  54. # Microsoft Security Advisory 3174644 - Updated Support for Diffie-Hellman Key Exchange
  55. # https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2016/3174644
  56. #
  57. # Microsoft is providing updated support to enable administrators to configure
  58. # longer Diffie-Hellman ephemeral (DHE) key shares for TLS servers. The updated
  59. # support allows administrators to increase the size of a DH modulus from the
  60. # current default of 1024 to either 2048, 3072, or 4096.
  61. #
  62. # Note: All versions of Windows 10 support the new DH modulus settings and use 2048 as the DH modulus default setting
  63.  
  64. 00000008 Enable SSL 2.0 by default
  65. 00000020 Enable SSL 3.0 by default
  66. 00000080 Enable TLS 1.0 by default
  67. 00000200 Enable TLS 1.1 by default
  68. 00000a00 Enable TLS 1.1 + 1.2 by default
  69. 00000800 Enable TLS 1.2 by default
  70. 00000a80 Enable TLS 1.0 + 1.1 + 1.2
  71. 00000AA0 Enable SSL 3.0 + TLS 1.0 + 1.1 + 1.2
  72. 00000AA8 Enable SSL 2.0 + 3.0 + TLS 1.0 + 1.1 + 1.2
  73.  
  74. Having problems with windows? Enable TLS 1.1 + 1.2 dword:00000a00, or TLS 1.0 + 1.1 + 1.2 dword:00000a80
  75.  
  76. No issues at all for me using this what-so-ever:
  77.  
  78. WinHTTP 2048 Bit TLS 1.2 (client) Same as MicrosoftEasyFix51044 update; though more strict, forcing 1.2 only, not problematic.
  79. [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]
  80. "DefaultSecureProtocols"=dword:00000800
  81.  
  82. WinHTTP 2048 Bit TLS 1.2 (client) same as the windows 7 fixit update; forcing 1.2 not problematic. may have slowed windows logon times & windows update.
  83. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]
  84. "DefaultSecureProtocols"=dword:00000800
  85.  
  86. (set to 1600 for dhe 4096)
  87. =====================================
  88. PKCS Key Exchange 2048 Bit (Thanks to Powershell script setupiisforsslperfectforwardsecrecy_pcidss31_v110)
  89. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS]
  90. "ClientMinKeyBitLength"=dword:00000800
  91. =====================================
  92. Enable Stronger Minimum Elliptical Diffie-Hellman Key Exchange 2048 (my personal addition, this was not in the advanced powershell script, works great but slows windows update an possibly windows logon)
  93. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\ECDH]
  94. "ClientMinKeyBitLength"=dword:00000800
  95. =====================================
  96. Enable Stronger Minimum Diffie-Hellman Key exchange by Default: 2048 in ISS / CryptoAPI / Windows Update, etc
  97. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]
  98. "ClientMinKeyBitLength"=dword:000000800
  99. =====================================
  100. You might want to try switching to 000001600 for 4096 bit encryption.
  101. =====================================
  102.  
  103. Disable Weak Ciphers
  104.  
  105. Microsoft: "Unfortunately, there is no built-in group policy administrative template to help us this this time. The individual security protocols, ciphers, hashing algorithms, and key exchanges are all enabled on Windows by default, and to disable them requires a registry change. This change is done by adding the “Enabled” value to the associated component registry subpath that you want disabled and setting the value to “0” as illustrated below"
  106.  
  107. (a great alternative is to just use ISSCrypto.exe)
  108.  
  109. Disable Weak Ciphers In IIS, CryptoAPI & more. Some claimed it broke remote desktop access and older versions of SQL server. All of which can be fixed with the proper updates. Check out #Error Work Arounds.txt.
  110.  
  111. Schannel also deals with cryptoAPI as well, an integral part of windows update, NCSI, and Internet Explorer; so make sure you do a system restore before running this just to be sure you can fix any errors in a hurry, if you need to. Disable anything less than tls 1.2 in Internet Explorer Options -> advanced, scroll to the bottom. Internet explorer is tied into the fabric of windows itself and "Internet Options" effects cryptoapi, and certificate exchanges that take place even in Chrome and Firefox via "Check for server certificate revocation" and "check for publishers certificate revocation". So make sure IE is hardrened too.
  112.  
  113. I confirm this influences windows update; when I had improperly configured schannel ciphers, effectively disabling them, trying to enable them using dword:00000001 instead of fffffff; windows update failed to function and other schannel errors occurred; Once I had used ffffffff no schannel errors occurred enabling them, along with a strict DHE only policy.
  114.  
  115. Server apps may need upgrading, like SQL for example to versions compatible with TLS 1.2. Or just tweak your settings to more relaxed for certain standards; My way of seeing it however, is hackers may force you to use the weakest link & lowest priority in the cipher chain, so be mindfull.
  116.  
  117. =====================================
  118.  
  119. ISS Server / Windows Update / CryptoAPI (maybe othres)
  120.  
  121. Disable Multi-Protocol Unified Hello
  122.  
  123. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server]
  124. "Enabled"=dword:00000000
  125. "DisabledByDefault"=dword:00000001
  126. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Client]
  127. "Enabled"=dword:00000000
  128. "DisabledByDefault"=dword:00000001
  129.  
  130. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]
  131. "Enabled"=dword:00000000
  132. "DisabledByDefault"=dword:00000001
  133. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
  134. "Enabled"=dword:00000000
  135. "DisabledByDefault"=dword:00000001
  136. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
  137. "Enabled"=dword:00000000
  138. "DisabledByDefault"=dword:00000001
  139. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]
  140. "Enabled"=dword:00000000
  141. "DisabledByDefault"=dword:00000001
  142. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
  143. "Enabled"=dword:00000000
  144. "DisabledByDefault"=dword:00000001
  145. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
  146. "Enabled"=dword:00000000
  147. "DisabledByDefault"=dword:00000001
  148. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128]
  149. "Enabled"=dword:00000000
  150. "DisabledByDefault"=dword:00000001
  151. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
  152. "Enabled"=dword:00000000
  153. "DisabledByDefault"=dword:00000001
  154. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
  155. "Enabled"=dword:00000000
  156. "DisabledByDefault"=dword:00000001
  157. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Client]
  158. "Enabled"=dword:00000000
  159. "DisabledByDefault"=dword:00000001
  160. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
  161. "Enabled"=dword:00000000
  162. "DisabledByDefault"=dword:00000001
  163. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
  164. "Enabled"=dword:00000000
  165. "DisabledByDefault"=dword:00000001
  166.  
  167. # NOTE for SERVERS: If you disable SSL 3.0 the you may lock out some people still using
  168. # Windows XP with IE6/7. Without SSL 3.0 enabled, there is no protocol available
  169. # for these people to fall back. Safer shopping certifications may require that
  170. # you disable SSLv3.
  171.  
  172. Disable SSL 3.0 (PCI Compliance) and enable "Poodle" protection
  173. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
  174. "Enabled"=dword:00000000
  175. "DisabledByDefault"=dword:00000001
  176. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
  177. "Enabled"=dword:00000000
  178. "DisabledByDefault"=dword:00000001
  179.  
  180. Disabling TLS 1.0 may cause Website errors in Internet Explorer and possibly elsewhere (you can enable 1.0+1.1 along with WinHttp above)
  181. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
  182. "Enabled"=dword:00000000
  183. "DisabledByDefault"=dword:00000001
  184. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
  185. "Enabled"=dword:00000000
  186. "DisabledByDefault"=dword:00000001
  187. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
  188. "Enabled"=dword:00000000
  189. "DisabledByDefault"=dword:00000001
  190. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
  191. "Enabled"=dword:00000000
  192. "DisabledByDefault"=dword:00000001
  193.  
  194. Enable Triple DES 168
  195. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168]
  196. "Enabled"=dword:ffffffff
  197.  
  198. Enable AES 128/128
  199. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 128/128]
  200. "Enabled"=dword:ffffffff
  201.  
  202. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 128/128]
  203.  
  204. Enable AES 256/256
  205.  
  206. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 256/256]
  207. "Enabled"=dword:ffffffff
  208.  
  209. Disable MD5
  210. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5]
  211. "Enabled"=dword:00000000
  212. "DisabledByDefault"=dword:00000001
  213.  
  214. Disable SHA
  215. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA]
  216. "Enabled"=dword:00000001
  217. "DisabledByDefault"=dword:00000000
  218.  
  219. Enable 256, and 384 and 512 SHA!
  220. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA256]
  221. "Enabled"=dword:ffffffff
  222.  
  223. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA384]
  224. "Enabled"=dword:ffffffff
  225.  
  226. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA512]
  227. "Enabled"=dword:ffffffff
  228.  
  229. Enable perfect forward secrecy + Elliptical curve
  230. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]
  231. "Enabled"=dword:ffffffff
  232.  
  233. Enable PKCS
  234. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS]
  235. "Enabled"=dword:ffffffff
  236.  
  237. Enable Elliptical Diffie-Hellman
  238. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\ECDH]
  239. "Enabled"=dword:ffffffff
  240.  
  241. Enable TLS 1.2!
  242. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
  243. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
  244. "Enabled"=dword:ffffffff
  245. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
  246. "Enabled"=dword:ffffffff
  247.  
  248.  
  249.  
  250.  
  251.  
  252.  
  253. **************************************************************************************************************************************************************************************************************************************************
  254.  
  255.  
  256.  
  257.  
  258. New registry file:
  259.  
  260. Windows Registry Editor Version 5.00
  261.  
  262. Remove all changes!
  263.  
  264. =====================================
  265.  
  266. Enable TLS 1.2 On all .NET 2.0, 3.5, 4.5+ apps (client)
  267.  
  268. [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727]
  269. "SystemDefaultTlsVersions"=-
  270.  
  271. [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
  272. "SystemDefaultTlsVersions"=-
  273.  
  274. =====================================
  275.  
  276. WinHTTP 2048 Bit TLS 1.1-1.2 (client) same as the windows 7 fixit update; forcing 1.2 not problematic. may have slowed windows logon times & windows update.
  277.  
  278. [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]
  279. "DefaultSecureProtocols"=-
  280.  
  281. WinHTTP 2048 Bit TLS 1.1-1.2 (client) same as the windows 7 fixit update; forcing 1.2 not problematic. may have slowed windows logon times & windows update.
  282. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]
  283. "DefaultSecureProtocols"=-
  284.  
  285. =====================================
  286. PKCS Key Exchange 2048 Bit
  287. -[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS]
  288.  
  289. =====================================
  290. Enable Stronger Minimum Elliptical Diffie-Hellman Key Exchange 2048 (my personal addition, this was not in the advanced powershell script, works great but slows windows update a little)
  291. -[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\ECDH]
  292.  
  293. =====================================
  294. Enable Stronger Minimum Diffie-Hellman by Default (2048) in ISS / CryptoAPI / Windows Update, etc
  295. -[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]
  296.  
  297. =====================================
  298. You might want to try switching to 000001600 for 4096 bit encryption.
  299. =====================================
  300.  
  301. ISS Server / Windows Update / CryptoAPI (maybe othres)
  302.  
  303. Disable Multi-Protocol Unified Hello
  304.  
  305. -[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server]
  306. -[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Client]
  307. -[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]
  308. -[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
  309. -[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
  310. -[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]
  311. -[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
  312. -[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
  313. -[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128]
  314. -[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
  315. -[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
  316. -[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Client]
  317. -[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
  318. -[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
  319.  
  320. Disable SSL 3.0 (PCI Compliance) and enable "Poodle" protection
  321. -[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
  322. -[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
  323.  
  324. Disabling TLS 1.0 may cause Website errors in Internet Explorer and possibly elsewhere (you can enable 1.0+1.1 along with WinHttp above)
  325. -[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
  326. -[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
  327. -[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
  328. -[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
  329.  
  330. Enable Triple DES 168
  331. -[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168]
  332.  
  333. Enable AES 128/128
  334. -[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 128/128]
  335.  
  336. Enable AES 256/256
  337. -[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 256/256]
  338.  
  339. Disable MD5 and weak SHA!
  340. -[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5]
  341. -[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA]
  342.  
  343. Enable 256, and 384 and 512 SHA!
  344. -[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA256]
  345. -[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA384]
  346. -[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA512]
  347.  
  348. Enable perfect forward secrecy + Elliptical curve
  349. -[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]
  350.  
  351. Enable PKCS
  352. -[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS]
  353.  
  354. Enable Elliptical Diffie-Hellman
  355. -[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\ECDH]
  356.  
  357. Enable TLS 1.2!
  358. -[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
  359. -[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
  360. -[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
RAW Paste Data