Hardening .Net Framework Applications with Stronger Cryptographic Protocols

Introduction

In the wake of highly publicized vulnerabilities within SSL and early TLS versions, many organizations are aggressively working to "harden" servers by enabling TLS 1.2 as the only allowable cryptographic protocol.

What's at risk?

Making the move to deprecate weak cryptographic protocols can cause concern for lack of compatibility with older applications targeting framework versions earlier than .NET Framework 4.6.

Risk Mitigation

The Windows Registry provides some control over the security protocols used by the .NET Framework, forcing appropriately coded applications that would normally default to TLS 1.0 to use stronger cryptographic protocols.

Modifying the Windows Registry to Enable Strong Cryptography for .NET Applications

Add the appropriate key-value pairs into the Windows Registry.  The following .REG file sets the registry keys and their variants to their most safe values:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727]"SystemDefaultTlsVersions"=dword:00000001"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319]"SystemDefaultTlsVersions"=dword:00000001"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]"SystemDefaultTlsVersions"=dword:00000001"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]"SystemDefaultTlsVersions"=dword:00000001"SchUseStrongCrypto"=dword:00000001

The server will require a reboot for these changes to take affect.

Where can I get more information?

For complete details regarding this and other best practices from Microsoft regarding the .NET Framework, please refer to:

Transport Layer Security (TLS) best practices with the .NET Framework