- Print
- DarkLight
Enforcing UseStrongCrypto & TLS 1.2
Versions of .NET 4.5 and older have TLS configurations independent of system-level TLS settings. Administrators will often secure servers and workstations by disabling the older TLS 1.0 protocol. If the lower protocols have been disabled on either or of the clients or server, a client to server sync will fail because a secure connection on the same protocol cannot be established between the two.
The following are instructions, in the necessary order, for enabling and enforcing TLS 1.2 and UseStrongCrypto, and disabling TLS 1.0 and 1.1 on your MFA server.
Before continuing, please take a backup of your server with a snapshot, or a backup of the server's registry and MFA Server Key.
The HKLM\SOFTWARE[Wow6432Node]Microsoft.NETFramework<VERSION>: SchUseStrongCrypto registry key has a value of type DWORD. A value of 1 causes your app to use strong cryptography. The strong cryptography uses more secure network protocols (TLS 1.2 and TLS 1.1) and blocks protocols that aren't secure. A value of 0 disables strong cryptography. For more information, see documentation about the SCH_USE_STRONG_CRYPTO flag. This registry setting affects only outgoing client connections in your application.
If your app targets .NET Framework 4.6 or later versions, this key defaults to a value of 1. That's a secure default that we recommend. If your app targets .NET Framework 4.5.2 or earlier versions, the key defaults to 0. In that case, you should explicitly set its value to 1.
This key should only have a value of 0 if you need to connect to legacy services that don't support strong cryptography and can't be upgraded.
To read more, visit Microsoft's TLS KB article.
Download the File
Download the file by clicking 👉 here 👈
The TLS1.2+UseStrongCrypto.reg file makes the following changes:
- Disables IPv6
- Disables SSLv2
- Disables SSLv3
- Disables TLS 1.0
- Disables TLS 1.1
If your environment requires the lower protocols to stay intact for any reason, edit the downloaded file and adjust the flags as necessary, or remove the registry keys that disable the lower protocols entirely.
Updating the MFA Server
Update the MFA SQL database settings by using the following query to insert the necessary values into the dbo.Settings table. This tells the MFA server software it is using TLS 1.2. It can also be done manually using the "Edit Top 200 Rows" option.
--if your db name is different than 'ONE', be sure to update this query before running USE [ONE] INSERT INTO Settings VALUES ('UseTLS12','True',1);
Create a backup of your server's registry settings (if you have not already).
Run or 'Merge' the TLS1.2+UseStrongCrypto.reg file.
Restart your MFA server for the changes to fully take effect.
Updating the MFA Clients
For updating your clients to TLS 1.2 as well, run the same registry file on your client computers and perform a restart.