Follow

How to Disable deprecated Protocols

Note: You must be logged in with Administrative access to the AuthAnvil Server and perform the following steps on any client machine that wishes to communicate to AuthAnvil.

 

Steps for disabling SSL protocols:

  • Click Start, click Run, type regedt32 or type regedit, and then click OK.
  • In Registry Editor, browse to the following registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\

Note: We will require there to be keys named "PCT 1.0", "SSL 2.0" and "SSL 3.0"  under the protocols area. If they already exist, please skip the following, otherwise perform the following for the missing keys.

  • Right click on Protocols, Select "New > Key"  and name this first one "PCT 1.0"
  • Highlight the newly created key, right click > "New > Key" and name this "Client", do this again but name the next one "Server"
  • Highlight "Client", right click > "New > DWORD (32-bit) Value", Name it "DisabledByDefault" with a Hexadecimal value of (1),
  • Add another DWORD value and name it "Enabled" with a Hexadecimal value of (0)

Note: To Enable a protocol double click and change the Hexidecimal value to 1 in Binary Editor to set the value of the new key equal to "1".

Perform the above steps for the next protocols that are to be disabled, the next one being "SSL 2.0", and "SSL 3.0"

Once the above steps are completed, the following key paths should exist:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Client]

"Enabled"=dword:00000000

"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]

"Enabled"=dword:00000000

"DisabledByDefault"=dword:00000001

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]

"DisabledByDefault"=dword:00000001

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]

"Enabled"=dword:00000000

"DisabledByDefault"=dword:00000001

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]

"DisabledByDefault"=dword:00000001

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]

"Enabled"=dword:00000000

"DisabledByDefault"=dword:00000001

  • Open Internet Explorer > Internet Options> Advanced and deselect “Use SSL 2.0” and “Use SSL 3.0” options and enable the protocols you desire
  • Click OK. Restart the computer.

The result will disable SSL 3.0 from running on Windows Server. This included IIS, where AuthAnvil is installed into.

Restart the system for the changes to take affect.

 

Steps for Disabling TLS 1.0:

Note: The Server Operating system must support communicating through TLS 1.1 or higher before you can Disable TLS 1.0. 2008 standard does not support anything else other than TLS 1.0: https://blogs.msdn.microsoft.com/kaushal/2011/10/02/support-for-ssltls-protocols-on-windows/

If you have Server 2008 R2, please use the following article: https://blogs.msdn.microsoft.com/friis/2016/07/25/disabling-tls-1-0-on-your-windows-2008-r2-server-just-because-you-still-have-one/



For all other operating systems, please use the following steps.

  • Click Start, click Run, type regedt32 or type regedit, and then click OK.
  • In Registry Editor, browse to the following registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\

  • Right click on Protocols, Select "New > Key" and name this first one "TLS 1.0"
  • Highlight the newly created key, right click > "New > Key" and name this "Client", do this again but name the next one "Server"
  • Highlight "Client", right click > "New > DWORD (32-bit) Value", Name it "DisabledByDefault" with a Hexadecimal value of (1),
  • Add another DWORD value and name it "Enabled" with a Hexadecimal value of (0)
  • Then, add the following registry keys to enable .net framework 4.0 to use TLS 1.2

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft.NETFramework\v4.0.30319

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v4.0.30319

  • For each of the above paths, Highlight "v4.0.30319" , right click > "New > DWORD (32-bit) Value", Name it "chUseStrongCrypto" with a Hexadecimal value of (1)

 

Once the above steps are completed, the following key paths should exist:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]

"Enabled"=dword:00000000

"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]

"DisabledByDefault"=dword:00000001

"Enabled"=dword:00000000

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft.NETFramework\v4.0.30319]

"chUseStrongCrypto"=dword:00000001

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]

"chUseStrongCrypto"=dword:00000001

 

Additional Configuration:

Internet Explorer:

IE will require some optional patches to be installed before it will function with TLS disabled. Please ensure that all updates are installed.

The following link contains a test page which verifies if TLS 1.0 is off for IE.

https://help.salesforce.com/articleView?id=Enabling-TLS-1-1-and-TLS-1-2-in-Internet-Explorer&type=1

 

SQL Server:

SQL server needs to be configured to run with TLS 1.0 turned off. Please use the following article.

https://support.microsoft.com/en-us/help/3135244/tls-1-2-support-for-microsoft-sql-server

 

Using Hardening Software to Disable protocols:

The use of Hardening Software is becoming more mainstream due to the ease of use and the fact that they normally create the registry keys automatically so there is no interaction required. These pieces of software also normally come with recommended settings for users to use for different compliance options.

The issue with these pieces of software is that they may inadvertently disable certain types of crypto that may be required for AuthAnvil products (Such as the Windows Credential Provider) to communicate, therefore effectively disabling the ability to log into systems protected by the product.

 

If Hardening software is used with conjunction to AuthAnvil products, you will assume the risk that there may be communication issues. If such an issue arises, the Hardening software will be requested to be removed from the system before troubleshooting begins.



Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

Powered by Zendesk