Disable TLS RC4 cipher in .Net

From Microsoft DotNet Framework 4.0 STIG

Part of APPNET0075 Disable TLS RC4 cipher in .Net

Associated with: CCI-001762

SV-96209r1_rule Disable TLS RC4 cipher in .Net

Vulnerability discussion

Use of the RC4 cipher in TLS could allow an attacker to perform man-in-the-middle attacks and recover plaintext from encrypted sessions. Applications that target .Net version 4.x running on multiple Windows versions could be vulnerable to these types of attacks. The registry settings in this requirement will prevent .Net applications that target the 4.x framework from selecting and utilizing the Schannel.dll RC4 cipher for TLS connections. Applications that use TLS when connecting to remote systems will perform a handshake and negotiate the TLS version and cipher that is to be used between the client and the server. This is standard protocol for all TLS connections. If the server and client are not configured to use the same TLS version and cipher, the TLS connection may fail. Applications should be tested with these registry settings prior to production implementation of the fix in order to avoid application outages.

Check content

Use regedit to review the following Windows registry keys: For 32-bit applications on 32-bit systems and 64-bit applications on x64-based systems: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SchUseStrongCrypto For 32-bit applications on x64-based systems: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\SchUseStrongCrypto If the “SchUseStrongCrypto” registry key does not exist, or is not a REG_DWORD value set to “1”, this is a finding.

Fix text

Use regedit to modify or create the following Windows registry key: For 32-bit applications on 32-bit systems and 64-bit applications on x64-based systems: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SchUseStrongCrypto For 32-bit applications on x64-based systems: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\SchUseStrongCrypto Set the REG_DWORD value for “SchUseStrongCrypto” to “1”.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer