SchUseStrongCrypto must be enabled.

An XCCDF Rule

Description

<VulnDiscussion>Exchange Server 2019 is configured by default with TLS 1.2. However, SchUseStrongCrypto is not set by default and must be configured to meet the TLS requirement. The strong cryptography (configured by the SchUseStrongCrypto registry value) uses more secure network protocols (TLS 1.2, TLS 1.1, and TLS 1.0) and blocks protocols that are not secure. SchUseStrongCrypto affects only client (outgoing) connections in the application.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-259577r942045_rule
Severity: Medium
References: CCI-000068
Updated: 9 months ago

In a PowerShell window with elevated privileges, run the following commands:

reg add HKLM\SOFTWARE\Microsoft\.NetFramework\v4.0.30319 /v "SchUseStrongCrypto" /t REG_DWORD /d 1

reg add HKLM\SOFTWARE\WoW6432Node\Microsoft\.NetFramework\v4.0.30319 /v "SchUseStrongCrypto" /t REG_DWORD /d 1
This will create the value within the necessary key and set the data to 1.

SchUseStrongCrypto must be enabled.

Description

Remediation - Manual Procedure