Skip navigation
All Places > Knowledge Base & Downloads > Blog > 2018 > August
2018

Introduction

In the wake of highly publicized vulnerabilities within SSL and early TLS versions, many organizations are aggressively working to "harden" servers by enabling TLS 1.2 as the only allowable cryptographic protocol.

 

What's at risk?

Making the move to deprecate weak cryptographic protocols can cause concern for lack of compatibility with older applications targeting framework versions earlier than .NET Framework 4.6.

 

Risk Mitigation

The Windows Registry provides some control over the security protocols used by the .NET Framework, forcing appropriately coded applications that would normally default to TLS 1.0 to use stronger cryptographic protocols.

 

Modifying the Windows Registry to Enable Strong Cryptography for .NET Applications

Add the appropriate key-value pairs into the Windows Registry.  The following .REG file sets the registry keys and their variants to their most safe values:

 

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001

 

The server will require a reboot for these changes to take affect.

 

Where can I get more information?

For complete details regarding this and other best practices from Microsoft regarding the .NET Framework, please refer to:

Transport Layer Security (TLS) best practices with the .NET Framework | Microsoft Docs

Introduction

While the Pharos Blueprint Enterprise Planning and Installation Guide discusses the necessary prerequisites for the Windows server, it does not provide an easy step-by-step process to install those on the Windows Server operating systems that are supported. Depending on the background of the individual assisting with the server build, this may mean that necessary components are missing, resulting in a failed installation, rework of the server configuration, and other activities that stretch the time for installation.

 

Contents

This document contains two PDF files that discuss prerequisite installation. One focuses on Microsoft Windows Server 2012 R2 and the other on Microsoft Windows Server 2016. While both operating systems are very similar in what is required, there is enough difference in their respective user interfaces to warrant separate documents.