Details

Use of the RC4 cipher in TLS could allow an attacker to perform man-in-the-middle attacks and recover plaintext from encrypted sessions. Applications that target .Net version 4.x running on multiple Windows versions could be vulnerable to these types of attacks. The registry settings in this requirement will prevent .Net applications that target the 4.x framework from selecting and utilizing the Schannel.dll RC4 cipher for TLS connections. Applications that use TLS when connecting to remote systems will perform a handshake and negotiate the TLS version and cipher that is to be used between the client and the server. This is standard protocol for all TLS connections. If the server and client are not configured to use the same TLS version and cipher, the TLS connection may fail. Applications should be tested with these registry settings prior to production implementation of the fix in order to avoid application outages.

Solution

Use regedit to access the following registry key.

For 32-bit systems:
HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFrameworkv4.0.30319

For 64-bit systems:
HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFrameworkv4.0.30319
HKEY_LOCAL_MACHINESOFTWAREWow6432NodeMicrosoft.NETFrameworkv4.0.30319

Modify or create the following Windows registry value: SchUseStrongCrypto

Set SchUseStrongCrypto to a REG_DWORD value of ‘1’.

Supportive Information

The following resource is also helpful.

• https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_DotNet_Framework_4-0_V2R1_STIG.ziphttps://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_DotNet_Framework_4-0_V2R1_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Windows.

References

• 800-53|CM-7(1)(b)
• CAT|II
• CCI|CCI-001762
• Rule-ID|SV-225238r615940_rule
• STIG-ID|APPNET0075
• STIG-Legacy|SV-96209
• STIG-Legacy|V-81495
• Vuln-ID|V-225238

Source

• Tenable.com/audits