(2017-03-01) Hardening – Disabling Weak Ciphers, Hashes And Protocols On ADFS, WAP, AAD Connect, Azure AD MFA Server And Azure AD Application Proxy
Posted by Jorge on 2017-03-01
UPDATE 2017-05-08: Also disabled the cipher “Triple DES” and explained how to use a GPO
UPDATE 2018-11-01: Marked 4 cipher suites as weak!. Added 2 additional cipher suites for W2K12/W2K12R2. Added 2 additional links with info
–
This post is about disabling weak ciphers, hashes, cipher suites and protocols in ADFS, WAP, AAD Connect, Azure AD MFA server and Azure AD Application Proxy Connector server. The main focus however, is disabling weak protocols in ADFS, WAP, AAD Connect, Azure AD MFA Server and Azure AD Application Proxy Connector server as these systems play a very important part in the hybrid solution with Azure AD and its backend services.
–
Please be very careful with these settings when hardening your systems and make sure to test first!!!
–
For quite some time now, SSL v2.0, SSL v3.0 and TLS v1.0 should be disabled and not be used anymore. Especially with disabling TLS v1.0 you may/will experience some challenges that need to taken care of. It may seem difficult to disable TLS v1.0, but it is not impossible. Just do your research!
For this blog post and the tests that I performed in my test/demo environment I used the following information:
- Microsoft Security Advisory 2960358
- Support for SSL/TLS protocols on Windows
- Windows: Support for SSL/TLS Versions
- TLS/SSL Settings
- Supported Cipher Suites and Protocols in the Schannel SSP
- TLS/SSL Security Considerations
- Considerations for disabling and replacing TLS 1.0 in ADFS
- Enable TLS 1.2 for Azure AD Connect
- How to: Determine Which .NET Framework Versions Are Installed
- Mailbag: What version of the .NET Framework is included in what version of the OS?
- SSL/TLS Alert Protocol & the Alert Codes
- Managing SSL/TLS Protocols and Cipher Suites for AD FS
- SSL Labs – This server does not support Authenticated encryption (AEAD) cipher suites. Grade capped to B
–
As a starting point for this blog post I do assume that every client/server is up to date with the patches available through Windows update!
–
As soon as you disable TLS v1.0 on W2K8R2 and higher, the RDP client on Windows 7 and Windows Server 2008 R2 breaks. For Windows 7 and Windows Server 2008 R2 the hotfix Update to add RDS support for TLS 1.1 and TLS 1.2 in Windows 7 or Windows Server 2008 R2 exists to add support for TLS v1.1 and TLS v1.2 for RDP client on Windows 7 and Windows Server 2008 R2. The RDP client on Windows 8/8.1 and Windows Server 2012 (R2) and higher is not impacted.
–
SQL Server
Looking at both ADFS and AAD Connect, both can use SQL server for their data storage.
If ADFS is using WID, from my experience, you do not need to do anything in addition.
If you have installed AAD Connect without SQL server, then you are using SQL Server 2012 Express LocalDB (a light version of SQL Server Express). I do not fully understand why, but in my case the Azure AD Sync service did not start anymore. Exporting the custom sync rules, uninstalling AAD Connect, rebooting the server, reinstalling AAD Connect and importing the custom Sync rules and everything was fine again. Don’t ask why or how. Maybe a coincidence!
However, if either ADFS or AAD Connect is using SQL server, make sure to patch SQL server so that it supports TLS v1.2. More information about this can be found in TLS 1.2 support for Microsoft SQL Server.
If SQL Server is running on W2K8R2, then TLS v1.1 and TLS v1.2 are supported, but it is disabled by default. You will have to enable it through the following commands and reboot the server afterwards.
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" /v DisabledByDefault /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" /v Enabled /t REG_DWORD /d 1 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /v DisabledByDefault /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /v Enabled /t REG_DWORD /d 1 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" /v DisabledByDefault /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" /v Enabled /t REG_DWORD /d 1 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" /v DisabledByDefault /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" /v Enabled /t REG_DWORD /d 1 /f
If SQL Server is running on W2K12 or higher, then TLS v1.1 and TLS v1.2 are supported and enabled by default.
–
Azure AD Connect
AAD Connect supports W2K8 and higher as the server OS. However:
- W2K8 does not support TLS v1.1 or TLS v1.2. You will have move away to a more recent server OS version.
- W2K8R2 does support TLS v1.1 or TLS v1.2, but it is disabled by default. You will have to enable it through the “REG ADD” commands or using the IISCRYPTO tool and reboot the server afterwards.
- W2K12 does support TLS v1.1 or TLS v1.2 and it is enabled by default. Explicitly enabling it does not change or hurt anything.
When connecting to Azure AD, TLS v1.0 is used by default. This can be changed to start using TLS v1.2 instead. Azure AD by default supports this.
The Azure AD Connect server depends on .NET Framework 4.5.1 or later. Whichever version you have installed, you need to install a patch for it, unless you are already running it on W2K16 or higher. If you are running W2K8R2, W2K12 or W2K12R2 you need to install a patch. Which patch you need can be found in Microsoft Security Advisory 2960358.
In addition, configure the server to disable/enable (whichever is applicable) the following ciphers, hashes and protocols:
Disabling Weak Ciphers/Hashes/Protocols
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client" /v DisabledByDefault /t REG_DWORD /d 1 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" /v DisabledByDefault /t REG_DWORD /d 1 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client" /v DisabledByDefault /t REG_DWORD /d 1 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" /v DisabledByDefault /t REG_DWORD /d 1 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" /v DisabledByDefault /t REG_DWORD /d 1 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" /v DisabledByDefault /t REG_DWORD /d 1 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" /v Enabled /t REG_DWORD /d 0 /f
–
Enabling Strong Protocols
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" /v DisabledByDefault /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" /v Enabled /t REG_DWORD /d 1 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /v DisabledByDefault /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /v Enabled /t REG_DWORD /d 1 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" /v DisabledByDefault /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" /v Enabled /t REG_DWORD /d 1 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" /v DisabledByDefault /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" /v Enabled /t REG_DWORD /d 1 /f
–
.NET is hardcoded to use TLS v1.0 by default. After installing the required patch (W2K12R2 and lower only) you need to tell .NET to use the stronger protocols. That is done by executing the following commands to set the required registry settings
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /v SchUseStrongCrypto /t REG_DWORD /d 1 /f
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /v SchUseStrongCrypto /t REG_DWORD /d 1 /f
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727" /v SchUseStrongCrypto /t REG_DWORD /d 1 /f
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319" /v SchUseStrongCrypto /t REG_DWORD /d 1 /f
–
Azure AD MFA Server
AAD MFA Server supports W2K3 and higher as the server OS. However:
- W2K3 and W2K8 do not support TLS v1.1 or TLS v1.2. You will have move away to a more recent server OS version.
- W2K8R2 does support TLS v1.1 or TLS v1.2, but it is disabled by default. You will have to enable it through the “REG ADD” commands or using the IISCRYPTO tool and reboot the server afterwards.
- W2K12 does support TLS v1.1 or TLS v1.2 and it is enabled by default. Explicitly enabling it does not change or hurt anything.
When connecting to Azure AD, TLS v1.0 is used by default. This can be changed to start using TLS v1.2 instead. Azure AD by default supports this.
The Azure AD MFA server depends on .NET Framework 4 or later. Whichever version you have installed, you need to install a patch for it, unless you are already running it on W2K16 or higher. If you are running W2K8R2, W2K12 or W2K12R2 you need to install a patch. Which patch you need can be found in Microsoft Security Advisory 2960358.
In addition, configure the server to disable/enable (whichever is applicable) the following ciphers, hashes and protocols:
Disabling Weak Ciphers/Hashes/Protocols
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client" /v DisabledByDefault /t REG_DWORD /d 1 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" /v DisabledByDefault /t REG_DWORD /d 1 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client" /v DisabledByDefault /t REG_DWORD /d 1 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" /v DisabledByDefault /t REG_DWORD /d 1 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" /v DisabledByDefault /t REG_DWORD /d 1 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" /v DisabledByDefault /t REG_DWORD /d 1 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" /v Enabled /t REG_DWORD /d 0 /f
–
Enabling Strong Protocols
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" /v DisabledByDefault /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" /v Enabled /t REG_DWORD /d 1 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /v DisabledByDefault /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /v Enabled /t REG_DWORD /d 1 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" /v DisabledByDefault /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" /v Enabled /t REG_DWORD /d 1 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" /v DisabledByDefault /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" /v Enabled /t REG_DWORD /d 1 /f
–
.NET is hardcoded to use TLS v1.0 by default. After installing the required patch (W2K12R2 and lower only) you need to tell .NET to use the stronger protocols. That is done by executing the following commands to set the required registry settings
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /v SchUseStrongCrypto /t REG_DWORD /d 1 /f
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /v SchUseStrongCrypto /t REG_DWORD /d 1 /f
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727" /v SchUseStrongCrypto /t REG_DWORD /d 1 /f
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319" /v SchUseStrongCrypto /t REG_DWORD /d 1 /f
–
Azure AD Application Proxy Connector Server (AADAppPrx)
AADAppPrx Server supports W2K12R2 and higher as the server OS. However:
- W2K12 does support TLS v1.1 or TLS v1.2 and it is enabled by default. Explicitly enabling it does not change or hurt anything.
When connecting to Azure AD, TLS v1.0 is used by default. This can be changed to start using TLS v1.2 instead. Azure AD by default supports this.
The AADAppPrx server depends on .NET Framework 4 or later. Whichever version you have installed, you need to install a patch for it, unless you are already running it on W2K16 or higher. If you are running W2K12R2 you need to install a patch. Which patch you need can be found in Microsoft Security Advisory 2960358.
In addition, configure the server to disable/enable (whichever is applicable) the following ciphers, hashes and protocols:
Disabling Weak Ciphers/Hashes/Protocols
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client" /v DisabledByDefault /t REG_DWORD /d 1 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" /v DisabledByDefault /t REG_DWORD /d 1 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client" /v DisabledByDefault /t REG_DWORD /d 1 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" /v DisabledByDefault /t REG_DWORD /d 1 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" /v DisabledByDefault /t REG_DWORD /d 1 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" /v DisabledByDefault /t REG_DWORD /d 1 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" /v Enabled /t REG_DWORD /d 0 /f
–
Enabling Strong Protocols (not really needed for W2K12R2/W2K16 as these are already enabled by default in the OS)
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" /v DisabledByDefault /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" /v Enabled /t REG_DWORD /d 1 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /v DisabledByDefault /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /v Enabled /t REG_DWORD /d 1 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" /v DisabledByDefault /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" /v Enabled /t REG_DWORD /d 1 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" /v DisabledByDefault /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" /v Enabled /t REG_DWORD /d 1 /f
–
.NET is hardcoded to use TLS v1.0 by default. After installing the required patch (W2K12R2 and lower only) you need to tell .NET to use the stronger protocols. That is done by executing the following commands to set the required registry settings
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /v SchUseStrongCrypto /t REG_DWORD /d 1 /f
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /v SchUseStrongCrypto /t REG_DWORD /d 1 /f
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727" /v SchUseStrongCrypto /t REG_DWORD /d 1 /f
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319" /v SchUseStrongCrypto /t REG_DWORD /d 1 /f
–
ADFS In General
From a federation perspective, if a target ADFS server does not support the weaker protocols when updating the metadata from the target ADFS server, you will most likely see an error equal or at least similar to the one below. Now please be aware that testing the protocols by reading the target metadata in a browser compared to reading the target metadata in the ADFS management console use a different configuration. If the browser, as a client, does support the stronger protocols you will/may not see an error. However, doing the same in the ADFS management console might return the following error
Figure 1: Connection Being Closed By Remote ADFS Server Because Local ADFS Server Does Not Support/Use Stronger Protocols
–
In this setup I will have a secured ADFS server (ADFS v3.0 or ADFS v4.0) which will be configured to only support stronger protocols and no weak protocols. I will have other remote ADFS servers, clients, applications, etc. with which the secured ADFS server needs to communicate with in any form (e.g. read metadata through URL from remote ADFS servers and/or applications). The other way around the remote ADFS servers, WAP Server, clients, applications, etc. need to communicate with the secured ADFS server to read its metadata/configuration or deliver or get a security token. In the case the secured ADFS server needs to communicate with SQL server, than if above in the section “SQL Server”. The idea here is also to configure remote servers/clients to be able to use TLS v1.1 and TLS v1.2 against the secured ADFS/WAP servers, but NOT to disable TLS v1.0 on them. This is about what you need to do at least on other systems if you secure one specific ADFS/WAP farm.
–
Secured ADFS/WAP To Only Support Stronger Protocols And Disable Weaker Protocols
ADFS/WAP v3.0 is based on W2K12R2, ADFS/WAP v4.0 is based on W2K16. W2K12R2 and W2K16 both already supports TLS v1.1 and TLS v1.2 and it is also already enabled. Again, explicitly enabling it does not change or hurt anything. See commands below to disable/enable stuff
.NET is hardcoded to use TLS v1.0 by default. For W2K12R2 and W2K16 you need to tell .NET to use the stronger protocols. That is done by executing the commands below to set the required registry settings. However, for W2K12R2 you must install some patches first to be able to tell .NET to use the stronger protocols in use by the OS. For that see Microsoft Security Advisory 2960358 (probably MS-KB2898847 and MS-KB2898850). For W2K16 you do not need to install the patches. You only need to configure the registry settings .
Configure the server to disable/enable (whichever is applicable) the following ciphers, hashes and protocols:
Disabling Weak Ciphers/Hashes/Protocols
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client" /v DisabledByDefault /t REG_DWORD /d 1 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" /v DisabledByDefault /t REG_DWORD /d 1 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client" /v DisabledByDefault /t REG_DWORD /d 1 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" /v DisabledByDefault /t REG_DWORD /d 1 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" /v DisabledByDefault /t REG_DWORD /d 1 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" /v Enabled /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" /v DisabledByDefault /t REG_DWORD /d 1 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" /v Enabled /t REG_DWORD /d 0 /f
–
Enabling Strong Protocols (not really needed for W2K12R2/W2K16 as these are already enabled by default in the OS)
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" /v DisabledByDefault /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" /v Enabled /t REG_DWORD /d 1 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /v DisabledByDefault /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /v Enabled /t REG_DWORD /d 1 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" /v DisabledByDefault /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" /v Enabled /t REG_DWORD /d 1 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" /v DisabledByDefault /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" /v Enabled /t REG_DWORD /d 1 /f
–
.NET is hardcoded to use TLS v1.0 by default. To tell .NET to use the stronger protocols. That is done by executing the following commands to set the required registry settings
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /v SchUseStrongCrypto /t REG_DWORD /d 1 /f
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /v SchUseStrongCrypto /t REG_DWORD /d 1 /f
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727" /v SchUseStrongCrypto /t REG_DWORD /d 1 /f
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319" /v SchUseStrongCrypto /t REG_DWORD /d 1 /f
–
Looking at all this from the the IISCRYPTO tool it will look like
Figure 2: Settings Viewed/Configured From The IISCRYPTO Tool
–
You might also think in disabling weak(er) cipher suites on both ADFS/WAP. For that you can configure a GPO to target the specific servers, or use the local GPO to do so. Nevertheless, you can configure this as follows:
Figure 3: Setting To Disable Weaker Cipher Suites
–
Enable that setting and specify the following Cipher Suites that are allowed (for readability I put everything on multiple lines, but it must be a comma-separated list in a single line):
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, (ADD FOR W2K12/W2K12R2, NOT FOR W2K16) (*)
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, (ADD FOR W2K12/W2K12R2, NOT FOR W2K16) (*)
TLS_RSA_WITH_AES_256_CBC_SHA256, (WEAK, DO NOT ADD!)
TLS_RSA_WITH_AES_256_CBC_SHA, (WEAK, DO NOT ADD!)
TLS_RSA_WITH_AES_128_CBC_SHA256, (WEAK, DO NOT ADD!)
TLS_RSA_WITH_AES_128_CBC_SHA (WEAK, DO NOT ADD!)
–
(*) REMARK: If you do add the cipher suite “TLS_DHE_RSA_WITH_AES_256_GCM_SHA384” and “TLS_DHE_RSA_WITH_AES_128_GCM_SHA256” for W2K12/W2K12R2 make sure to also do the following
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman" /v ServerMinKeyBitLength /t REG_DWORD /d 2048 /f
–
After configuring all this, DO NOT forget to reboot the ADFS/WAP servers!
–
If you have configured this on all your WAP server and you have those scanned through SSL Labs (URL: https://www.ssllabs.com/ssltest/analyze.html) you will see a rating similar to
Figure 4: Qualys SSL Labs Report For WAP Configured With Settings Listed Above (Part 1)
–
Figure 5: Qualys SSL Labs Report For WAP Configured With Settings Listed Above (Part 2)
–
Figure 6: Qualys SSL Labs Report For WAP Configured With Settings Listed Above (Part 3)
–
Browsers Communicating With Secured ADFS
Internet Explorer must be configured to support TLS v1.1 and TLS v1.2 if not already enabled by default.
Open Internet Explorer –> Internet Options –> Advanced TAB –> Scroll down to the end
Figure 7: Internet Explorer Settings For TLS Support
–
Firefox must be configured to support TLS v1.1 and TLS v1.2 if not already enabled by default.
Open Firefox –> As URL enter “about:config” –> Accept warning –> In the search box enter “security.tls.version.max” –> This tells you the highest TLS version supported
1 means TLS 1.0; 2 means TLS 1.1; 3 means TLS 1.2; 4 means TLS 1.3;
Figure 8: Firefox Settings For TLS Support
–
Chrome must be configured to support TLS v1.1 and TLS v1.2 if not already enabled by default.
Open Chrome –> As URL enter “chrome://settings”" –> Click on Settings on the left –> Scroll down to Network –> Click on Change Proxy Settings –> Advanced TAB –> Scroll down to the end
Yes, you guessed it correctly. Chrome inherits these settings from IE!
–
Remote ADFS On W2K8R2 (ADFS v2.0) To Be Able To Communicate With Secured ADFS
Applies To Directions –> “Secured ADFS reading metadata from ADFS v2.0 on W2K8R2” and “ADFS v2.0 on W2K8R2 reading metadata from Secured ADFS”
W2K8R2 by default supports TLS v1.1 and TLS v1.2, but it is disabled by default. Therefore you need to enable it. You can use the following commands to do so.
Enabling Strong Protocols
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" /v DisabledByDefault /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" /v Enabled /t REG_DWORD /d 1 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /v DisabledByDefault /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /v Enabled /t REG_DWORD /d 1 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" /v DisabledByDefault /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" /v Enabled /t REG_DWORD /d 1 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" /v DisabledByDefault /t REG_DWORD /d 0 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" /v Enabled /t REG_DWORD /d 1 /f
–
Looking at all this from the the IISCRYPTO tool it will look like
Figure 9: Settings Viewed/Configured From The IISCRYPTO Tool On W2K8R2 With ADFS v2.0
–
Applies To Direction –> “ADFS v2.0 on W2K8R2 reading metadata from Secured ADFS”
Install the hotfix listed in Support for TLS System Default Versions included in the .NET Framework 3.5.1 on Windows 7 SP1 and Server 2008 R2 SP1
Tell .NET to use the stronger protocols in use by the OS. That is done by executing the following commands to set the required registry settings
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /v SystemDefaultTlsVersions /t REG_DWORD /d 1 /f
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727" /v SystemDefaultTlsVersions /t REG_DWORD /d 1 /f
–
After configuring all this, DO NOT forget to reboot the ADFS v2.0 servers!
–
Remote ADFS On W2K12 (ADFS v2.1) To Be Able To Communicate With Secured ADFS
Applies To Directions –> “Secured ADFS reading metadata from ADFS v2.1 on W2K12” and “ADFS v2.1 on W2K12 reading metadata from Secured ADFS”
W2K12 by default supports TLS v1.1 and TLS v1.2 and it is also enabled by default. Nothing to do for that.
–
Applies To Direction –> “ADFS v2.1 on W2K12 reading metadata from Secured ADFS”
I think you do need to install the hotfixes listed in Microsoft Security Advisory 2960358 (probably MS-KB2898845 and MS-KB2898849).
However, you still need to tell .NET to use the stronger protocols in use by the OS. That is done by executing the following commands to set the required registry settings.
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /v SchUseStrongCrypto /t REG_DWORD /d 1 /f
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /v SchUseStrongCrypto /t REG_DWORD /d 1 /f
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727" /v SchUseStrongCrypto /t REG_DWORD /d 1 /f
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319" /v SchUseStrongCrypto /t REG_DWORD /d 1 /f
–
After configuring all this, DO NOT forget to reboot the ADFS v2.1 servers!
–
Remote ADFS On W2K12R2 (ADFS v3.0) To Be Able To Communicate With Secured ADFS
Applies To Directions –> “Secured ADFS reading metadata from ADFS v3.0 on W2K12R2” and “ADFS v3.0 on W2K12R2 reading metadata from Secured ADFS”
W2K12R2 by default supports TLS v1.1 and TLS v1.2 and it is also enabled by default. Nothing to do for that.
–
Applies To Direction –> “ADFS v3.0 on W2K12R2 reading metadata from Secured ADFS”
In this case I would expect to have to install the hotfixes listed in Microsoft Security Advisory 2960358 (probably MS-KB2898847 and MS-KB2898850). However, funny enough it was not needed
However, I still needed to tell .NET to use the stronger protocols in use by the OS. That is done by executing the following commands to set the required registry settings.
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /v SchUseStrongCrypto /t REG_DWORD /d 1 /f
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /v SchUseStrongCrypto /t REG_DWORD /d 1 /f
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727" /v SchUseStrongCrypto /t REG_DWORD /d 1 /f
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319" /v SchUseStrongCrypto /t REG_DWORD /d 1 /f
–
After configuring all this, DO NOT forget to reboot the ADFS v3.0 servers!
–
Remote ADFS On W2K16 (ADFS v4.0) To Be Able To Communicate With Secured ADFS
Applies To Directions –> “Secured ADFS reading metadata from ADFS v4.0 on W2K16” and “ADFS v4.0 on W2K16 reading metadata from Secured ADFS”
W2K16 by default supports TLS v1.1 and TLS v1.2 and it is also enabled by default. Nothing to do for that.
–
Applies To Direction –> “ADFS v4.0 on W2K16 reading metadata from Secured ADFS”
No need to install patches for this.
However, I still needed to tell .NET to use the stronger protocols in use by the OS. That is done by executing the following commands to set the required registry settings
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /v SchUseStrongCrypto /t REG_DWORD /d 1 /f
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /v SchUseStrongCrypto /t REG_DWORD /d 1 /f
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727" /v SchUseStrongCrypto /t REG_DWORD /d 1 /f
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319" /v SchUseStrongCrypto /t REG_DWORD /d 1 /f
–
After configuring all this, DO NOT forget to reboot the ADFS v4.0 servers!
–
Remote Applications/Federation Systems (On-premises Or Cloud) To Be Able To Communicate With Secured ADFS
Applies To Direction –> “Secured ADFS reading metadata from remote Application/Federation System”
Just make sure the connected application/federation system supports TLS v1.1 and TLS v1.2 as a server. You may need to contact system owners and/or vendors and ask if their system supports TLS v1.1 and/or TLS v1.2. You can also setup a separate secured ADFS server and try to read its metadata from the application/federation system. If it succeeds it most likely does support TLS v1.1 and/or TLS v1.2.
Or….
Use the PowerShell script from Vadims Podans to check if the target server supports TLS v1.1/1.2 as a server: Test web server SSL/TLS protocol support with PowerShell
–
Applies To Direction –> “Remote Application/Federation System reading metadata from Secured ADFS”
Just make sure the connected application/federation system supports TLS v1.1 and TLS v1.2 as a client. You may need to contact system owners and/or vendors and ask if their system supports TLS v1.1 and/or TLS v1.2. By performing the previous test, you may be able to assume (not sure of course) that it will also support TLS v1.1 and TLS v1.2 as a client if it supports TLS v1.1 and TLS v1.2 as a server
–
Additional Findings:
At the time of writing, it looks like Azure AD Connect Health DOES NOT support TLSv1.1/v1.2 only. It appears to need TLSv1.0<== NOT TRUE!- Many agents or on-premises solutions that interact with Azure AD somehow may use client certificates to authenticate against Azure AD. That may start to fail after configuring these settings (specially after disabling TLS v1.0 and only allowing TLS v1.1 and TLS v1.2) and if you are running either W2K8R2 or W2K12 or W2K12R2 for Azure AD Connect Health Agent for ADDS/ADFS/Sync or the Azure AD Application Proxy Connector server. By default those client certificates use the SHA512 signature algorithm which is disabled by default, unless you have installed a patch to enable it. More info about this through SHA512 is disabled in Windows when you use TLS 1.2
–
REMARKS:
- All the registry settings listed in this blog post can also be configured in a GPO by using preferences. On one of the servers you want to harden, configure the required registry settings by running the commands, then after opening the GPO in the preference section, run the registry wizard, target the server already configured and select the configured settings to be included in the GPO
Figure 10: Registry Settings Through Preferences In A GPO
–
Troubleshooting
If you find a error like the following one in the System Event Log:
"A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 70. The Windows SChannel error state is 105."
Check the underlined error code, a.k.a. the fatal error code, and look it up in SSL/TLS Alert Protocol & the Alert Codes. In this case “fatal error code 70 ” means: “The protocol version the client attempted to negotiate is recognized, but not supported. For example, old protocol versions might be avoided for security reasons. This message is always fatal.”
–
Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————
Jorge's Quest For Knowledge! 
Bandsnews said
Jorge, is it possible to achieve any of these settings via AD GPO?
LikeLike
Jorge said
Hi,
All those registry settings can be put in GPOs when using GPO preferences or when using a custom ADMX
Cheers,
jorge
LikeLike
kaanic said
SQL Server / Azure AD Connect:
“If you have installed AAD Connect without SQL server, then you are using SQL Server 2012 Express LocalDB (a light version of SQL Server Express). I do not fully understand why, but in my case the Azure AD Sync service did not start anymore. Exporting the custom sync rules, uninstalling AAD Connect, rebooting the server, reinstalling AAD Connect and importing the custom Sync rules and everything was fine again. Don’t ask why or how. Maybe a coincidence!”
The root cause in my case was the installed SQL Server Native Client. AAD Connect installs SQL Native Client 11.0 (2011.110.2100.60 / 11.00.2100), which is the RTM version. You have to update to a more current version, f.e. 11.0.6538.0 from here: https://www.microsoft.com/en-us/download/details.aspx?id=50402)
No reboot required. Afterwards start the Azure AD Sync service.
LikeLike
Ivan said
WOW! Great Job!
LikeLike
(2017-05-23) Bug In GPP Registry Wizard Prevents Registry Settings From Applying « Jorge's Quest For Knowledge! said
[…] the blog post (2017-03-01) Hardening – Disabling Weak Ciphers, Hashes And Protocols On ADFS, WAP, AAD Connect, A… I explain how to harden several hybrid identity related servers. I provide the individual settings […]
LikeLike
CLETUS CHUKWU said
What types of hardening can I implement on WAP servers if I decide to join it to the domain?
LikeLike
Jorge said
exactly the same as the article mentions. After configuring everything to an internet based Qualys scan
LikeLike
How to test SSL/TLS status ? | Jacques DALBERA's IT world said
[…] https://jorgequestforknowledge.wordpress.com/2017/03/01/hardening-disabling-weak-ciphers-hashes-and-… […]
LikeLike
Secure Install of Azure AD Connect – PowerShell and Azure knowledge sharing said
[…] https://jorgequestforknowledge.wordpress.com/2017/03/01/hardening-disabling-weak-ciphers-hashes-and-… […]
LikeLike