Registry Settings in Windows Server
Note:
Please take backup of window Registry before doing change process of registry. Go to run command type regedit, Registry will open,
Select the SCHANNEL,( by going this location- HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL)
Go to file and export the Registry backup in other disk for safe purpose.
Also check the compatibility of your application, it might be possible that after implementation your application may stop
if your application does not support latest standard protocols.
———————————————————————————————————————————–
Windows Server 2012
Microsoft Improperly Issued Digital Certificates Spoofing Vulnerability (KB3123040)
Locate the below path
HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
Right click on Certificates and Create a new DWORD value named: DisableRootAutoUpdate double clcik on it put value 1 (decimal)
HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
Right click on Certificates and Create a new DWORD value named: DisableRootAutoUpdate double clcik on it put value 1 (decimal)
Again Right click on Certificates and Create a new DWORD value named: EnableDisallowedCertAutoUpdate double clcik on it put value 1 (decimal)
Now Go to next step
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Right click on AutoUpdate and Create a new DWORD value named: DisallowedCertEncodedCtl double clcik on it put value 1 (decimal)
Security Update for Windows Server 2012 (KB2813430)
https://www.microsoft.com/en-us/download/details.aspx?id=39134
https://support.microsoft.com/en-us/topic/an-update-is-available-that-enables-administrators-to-update-trusted-and-disallowed-ctls-in-disconnected-environments-in-windows-0c51c702-fdcc-f6be-7089-4585fad729d6#bkmk_4
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn265983(v=ws.11)
Microsoft WinHTTP support for TLS 1.1 and TLS 1.2 Missing (KB3140245)
Enable TLS 1.2 by default for WinHTTP
Add the DefaultSecureProtocols DWORD value to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
and HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp registry keys.
From the Windows search bar, use regedit to open the Window Registry Editor.
Browse to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp.
Create a new DWORD value named: DefaultSecureProtocols
Set the value in hexadecimal to: 800
On a 64-bit version of Windows, browse to
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
Create a new DWORD value named: DefaultSecureProtocols
Set the value in hexadecimal to: 800
https://www.catalog.update.microsoft.com/search.aspx?q=kb3140245
Windows Remote Desktop Protocol Weak Encryption Method Allowed
Actual solution: Add this registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\
right click on Ciphers and select new key and name it RC4 40/128
again right click on Ciphers and seclect new key and name it RC4 56/128
Now go to RC4 40/128 and right click on it and select DWORD 32 bit and name it Enabled and put the value 0 after double click on it
repeat this step again for RC4 56/128
Now close the registry and restart the computer.
https://msrc.microsoft.com/update-guide/en-US/vulnerability/ADV190013
https://msrc.microsoft.com/update-guide/en-US/vulnerability/ADV180012
https://support.microsoft.com/en-us/topic/windows-server-guidance-to-protect-against-speculative-execution-side-channel-vulnerabilities-2f965763-00e2-8f98-b632-0d96f30c8c8e
Microsoft CVE-2017-5754 and Microsoft CVE-2017-5715
Microsoft Windows Server Registry Key Configuration Missing (ADV190013)
Microsoft Windows Security Update Registry Key Configuration Missing (ADV180012) (Sp CVSS: – CVSS3: 5 Active spectre/Meltdown Variant 4)
Solution- open server registry (run command- regedit), first of all make sure that you do have server and registry backup. Go through below path in regedit.
“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management”,
click on memory management and in the right panel create a new DWORD(32 bit) with the name of “FeatureSettingsOverride” double click on it and give it 72(decimal)value.
Again click on memory management and in the right panel create a new DWORD(32 bit) with the name of “FeatureSettingsOverrideMask” and give it value 3.
Now restart the computer.
Architecture: AMD64 , X86
Windows 10,Windows 10 LTSB,Windows 7,Windows 8.1,Windows Embedded Standard 7,Windows Server 2008,Windows Server 2008 R2,Windows Server 2012 R2,Windows Server 2016
https://www.catalog.update.microsoft.com/Search.aspx?q=KB4078130
https://msrc.microsoft.com/update-guide/vulnerability/ADV180002
SMBv2 signing not required
Recommended vulnerability solutions: Enable SMBv2 with Required**
Actual solution: Add this registry Key
open run and type regedit and press enter key follow below and add this registry
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ EnableSecuritySignature (DWORD: 1)
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ RequireSecuritySignature (DWORD: 1)
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\ EnableSecuritySignature (DWORD: 1)
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\ RequireSecuritySignature (DWORD: 1)
Windows Explorer Autoplay Not Disabled for Default User
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
right click on Explorer and select new DOWRD32 bit and name it NoDriveTypeAutoRun
doubleclick on it and put the value 1
Again go to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
right click on Explorer and select new DOWRD32 bit and name it NoAutorun
doubleclick on it and put the value 1
Now restart the computer.
Enabled Cached Logon Credential
We recommend that you locate the following Registry key, and then set or create a REG_SZ ‘CachedLogonsCount’ entry with a ‘0’ value:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Nt\CurrentVersion\Winlogon
right click on Winlogon and select new String Value bit and name it CachedLogonsCount
doubleclick on it and put the value 0
Now restart the computer.
https://docs.microsoft.com/en-us/troubleshoot/windows-server/user-profiles-and-logon/cached-domain-logon-information
Allowed Null Session
To disable this vulnerability to secure your server, follow these steps:
Go to Start | Run, and enter Regedit.
Navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\ control\LSA.
right click on LSA select new DOWRD32 bit and name it RestrictAnonymous, doubleclick on it and put the value 1
Again go to HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
right click on Parameters select new DOWRD32 bit and name it RestrictNullSessAccess, doubleclick on it and put the value 1
Now restart the computer.
WinVerifyTrust Signature Validation Vulnerability
CVE-2013-3900 WinVerifyTrust Signature Validation Vulnerability
To remediate the vulnerability CVE-2013-3900 is to add the below registry values.
[HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config]
“EnableCertPaddingCheck”=”1”
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config]
“EnableCertPaddingCheck”=”1”
Enabled Guest Access to Security Log
We recommend that you locate the following Registry key,and then set the REG_DWORD32bit ‘RestrictGuestAccess’ entry to ‘1’:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\Security
right click on Security and select new REG_DWORD32 bit and name it RestrictGuestAccess
doubleclick on it and put the value 1
Now restart the computer.
Enabled Guest Access to Application Log
We recommend that you locate the following Registry key,and then set the REG_DWORD32bit ‘RestrictGuestAccess’ entry to ‘1’:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\\Application
right click on \Application and select new REG_DWORD32 bit and name it RestrictGuestAccess
doubleclick on it and put the value 1
Now restart the computer.
Enabled Guest Access to System Log
We recommend that you locate the following Registry key,and then set the REG_DWORD32bit ‘RestrictGuestAccess’ entry to ‘1’:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\System
right click on System and select new REG_DWORD32 bit and name it RestrictGuestAccess
doubleclick on it and put the value 1
Now restart the computer.
Windows Update For Credentials Protection and Management (Microsoft Security Advisory 2871997)
Recommended vulnerability solutions: “WDigest UseLogonCredential”
Actual solution: Add this registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest
right click on WDigest and select new DOWRD32 bit and name it UseLogonCredential
doubleclick on it and put the value 0
Now restart the computer.
Microsoft Internet Explorer Security Update for September 2017
Actual solution: Add this registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\
right click on FeatureControl and select new key and name it \FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX
Now right click on \FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX and select new DOWRD32 bit and name it iexplore.exe, doubleclick on it and put the value 1
Now next step: again go to below location and update the same:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\
right click on FeatureControl and select new key and name it \FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX
Now right click on \FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX and select new DOWRD32 bit and name it iexplore.exe, doubleclick on it and put the value 1
Restart the computer.
Microsoft Internet Explorer Cumulative Security Update (MS15-124)
A security feature bypass for Internet Explorer exists as a result of how exceptions are handled when dispatching certain window messages,
allowing an attacker to probe the layout of the address space and thereby bypassing Address Space Layout Randomization (ASLR)
Actual solution: Add this registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\
right click on FeatureControl and select new key and name it FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING
Now right click on FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING and select new DOWRD32 bit and name it iexplore.exe, doubleclick on it and put the value 1
Now next step: again go to below location and update the same:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\
right click on FeatureControl and select new key and name it FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING
Now right click on FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING and select new DOWRD32 bit and name it iexplore.exe, doubleclick on it and put the value 1
Restart the computer.
Security Update for Windows Server 2012 (KB2871997)
https://www.catalog.update.microsoft.com/Search.aspx?q=KB2871997
After update this patch update the below registry settings.
Windows Update For Credentials Protection and Management
We recommend that you locate the following Registry key, and then set or create a REG_SZ ‘ UseLogonCredential’ entry with a ‘0’ value:
HKLM\System\CurrentControlSet\Control\SecurityProviders\WDigest
right click on WDigest and select new DOWRD32 bit and name it UseLogonCredential
doubleclick on it and put the value 0
Now restart the computer.
Microsoft Windows DNS Resolver Addressing Spoofing Vulnerability (ADV200013)
Configure Windows DNS servers to have UDP buffer size of 1221
Note Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system.
Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.
For information about how to edit the registry, view the “Changing Keys And Values” Help topic in Registry Editor (Regedit.exe) or
view the “Add and Delete Information in the Registry” and “Edit Registry Data” Help topics in Regedt32.exe.
Run regedit.exe as Administrator.
Navigate to the following registry node:
HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters
right click on Parameters and select new DOWRD32 bit and name it MaximumUdpPacketSize
doubleclick on it and put the value 1221 (decimal)
Close Registry Editor and restart the DNS service.
https://msrc.microsoft.com/update-guide/vulnerability/ADV200013
Microsoft Guidance for Enabling LDAP Signing Missing (ADV190023)
Go to Start | Run, and enter Regedit.
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
right click on Parameters select new DOWRD32 bit and name it LDAPServerIntegrity, doubleclick on it and put the value 2
Again go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
right click on Parameters select new DOWRD32 bit and name it LdapEnforceChannelBinding, doubleclick on it and put the value 2
Now restart the computer.
https://support.microsoft.com/en-us/topic/2020-ldap-channel-binding-and-ldap-signing-requirements-for-windows-ef185fb8-00f7-167d-744c-f299a66fc00a
Windows Digital Signatures Remote Code Execution Vulnerability (MS13-098)
Paste the following text in a text editor such as Notepad. Then, save the file by using the .reg file name extension (for example, enableAuthenticodeVerification64.reg).
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config]
“EnableCertPaddingCheck”=”1”
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config]
“EnableCertPaddingCheck”=”1”
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config]
“EnableCertPaddingCheck”=”1”
Note You must restart the system for your changes to take effect.
Detected LanMan/NTLMv1 Authentication method
Kindly follow the below article for Weak LAN Manager hashing permitted.
To disable this ability and better secure your workstations, follow these steps:
Go to Start | Run, and enter Regedit.
Navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\ control\LSA.
Find the LMCompatibility and LMCompatibilityLevel value.
If LMCompatibility not found right clik on LSA then New create dword 32 bit key and rename the name to LMCompatibility and give him value 5.
Now again create dword 32 bit key and rename the name to LMCompatibilityLevel and give him value 5.
After that follow the below process in group policy
Press Win+R and type gpedit.msc
In Group Policy, expand Computer Configuration, expand Windows Settings, expand Security Settings, and expand Local Policies.
Select Security Options.
Double-click Network Security: Do Not Store LAN Manager Hash Value On Next Password Change.
Select Enabled, and click OK.
If SSL Certificate private key missing.
Now that we are in the right place, enter the following command at the prompt:
certutil –repairstore my where is the serial number
obtained in Step 2 with spaces removed.
Open window powershell and execute below command for Disabling SMBv1
Detect: Get-SmbServerConfiguration | Select EnableSMB1Protocol
Disable:Set-SmbServerConfiguration -EnableSMB1Protocol $false
Open window powershell and execute below command for Enabling SMBv1
Detect: Get-SmbServerConfiguration | Select EnableSMB1Protocol
Enable: Set-SmbServerConfiguration -EnableSMB1Protocol $true
To Disable the SMB1 run below command in powershell
Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB1 -Type DWORD -Value 0 -Force
To Enable the SMB1 run below command in powershell
Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB1 -Type DWORD -Value 1 -Force
Microsoft ADV210003: Mitigating NTLM Relay Attacks on Active Directory Certificate Services
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\ EnableSecuritySignature (DWORD: 1)
SMB Signing Disabled or SMB Signing Not Required
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ RequireSecuritySignature (DWORD: 1)
For Diffie Hellman Ciphers issue
Follow the below steps:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\
right click on KeyExchangeAlgorithms and select new key and name it Diffie-Hellman
Now right click on Diffie-Hellman and select new DOWRD32 bit and name it Enabled, doubleclick on it and put the value 0
Now restart the computer.
TLS/SSL Server Supports The Use of Static Key Ciphers
Recommended vulnerability solutions: “Disable TLS/SSL support for static key cipher suites”
Actual solution: Add this registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\
right click on KeyExchangeAlgorithms and select new key and name it PKCS
Now right click on PKCS and select new DOWRD32 bit and name it Enabled, doubleclick on it and put the value 0
Now restart the computer.
Windows System Has SSLv2 Enabled
We need to disable the SSLv2. Follow the below steps to disable the SSLv2.
Actual solution: Add this registry key
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server
Right click on Server and select new key and name it DisabledByDefault, doubleclick on it and put the value 1
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client
Right click on Client and select new key and name it DisabledByDefault, doubleclick on it and put the value 1
No Remote Desktop License Servers Available
If you think you have all necessary RDS configurations, licenses (CALs) etc in place, the possibility is, the issue might be related to a bug on
Remote Desktop Session Host (RDSH) where it will not look to the Remote Desktop Services Licensing Server for CALs when the grace period ends.
For the fact, you can still connect to the computer reporting error through admin session, mstsc /admin
The solution to fix this error is to delete a registry key related to Grace Period.
Open registry editor (regedit) and go to Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\RCM\GracePeriod
Delete GracePeriod key (folder).
Restart the server.
Windows Unquoted Search Path or Element can allow local privilege escalation
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Uninstall/Microsoft Visual Studio 2010 Tools for Office
Double click on image path and string and make double quite (“) at start and end of below line:
Before quote
c:Program FilesCommon FilesMicrosoft SharedVSTO10.0Microsoft Visual Studio 2010 Tools for Office Runtime (x64)install.exe
After Quote
“c:Program FilesCommon FilesMicrosoft SharedVSTO10.0Microsoft Visual Studio 2010 Tools for Office Runtime (x64)install.exe”
Windows Unquoted Search Path or Element can allow local privilege escalation
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Uninstall/Microsoft Visual Studio 2010 Tools for Office
Double click on image path and string and make double quite (“) at start and end of below line:
Before quote
C:Program FilesCommon FilesMicrosoft SharedVSTO10.0Microsoft Visual Studio 2010 Tools for Office Runtime (x64)install.exe
After Quote
“C:Program FilesCommon FilesMicrosoft SharedVSTO10.0Microsoft Visual Studio 2010 Tools for Office Runtime (x64)install.exe”
Windows Unquoted Search Path or Element can allow local privilege escalation
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Uninstall/Microsoft Help Viewer 1.1
Double click on image path and string and make double quite (“) at start and end of below line:
Before quote
C:Program FilesMicrosoft Help Viewerv1.0Microsoft Help Viewer 1.1install.exe
After Quote
“C:Program FilesMicrosoft Help Viewerv1.0Microsoft Help Viewer 1.1install.exe”
Windows Unquoted Search Path or Element can allow local privilege escalation
HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/qs_logsvc
Double click on image path and string and make double quite (“) at start and end of below line:
Before quote
C:/Program Files (x86)/Quest/NetVaultBackup/bin/qs_logsvc.exe
After Quote
“: C:/Program Files (x86)/Quest/NetVaultBackup/bin/qs_logsvc.exe”
After uninstalling Java, how do I remove its listing in the Windows Uninstall/Remove Programs?
Navigate to the following registry node:
HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Uninstall
Under this Uninstall node, you will find many registry entry names enclosed in curly braces. e.g. {26A24AE4-039D-4CA4-87B4-2F83216013FB}
Click on each registry entries in the left pane and that will display its associated data on right pane of Registry Editor.
or
Click on Edit->Find tab in Registry Editor window and then enter Java version that you want to find Keys for
For example: serching for Java(TM) 6 Update 24 finds this:
Delete the registry entry found for Java, by right clicking on the registry key name, and selecting Delete.
Click Yes on the Confirm Key Delete message box.
Microsoft XML Core Services XMLHttpRequest “SetCookie2” Header Information Disclosure Vulnerability – Zero Day
https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2012/ms12-043?redirectedfrom=MSDN
Security Update for Microsoft XML Core Services 4.0 Service Pack 3 for Windows Server 2012 Release Candidate (KB2721691)
https://www.catalog.update.microsoft.com/Search.aspx?q=KB2721691
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26832
Microsoft XML Core Services XMLHttpRequest “SetCookie2” Header Information Disclosure Vulnerability – Zero Day
Security Update for Windows Server 2012 R2 (KB2993958)
https://www.microsoft.com/en-us/download/details.aspx?id=44644
To set the kill bit for the MSXML 5.0 for Microsoft Office ActiveX control, follow these steps:
Create a text file named Disable_MSXML5.reg with the following contents:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{88d969e5-f192-11d4-a65f-0040963251e5}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{88d969e5-f192-11d4-a65f-0040963251e5}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{88d969e6-f192-11d4-a65f-0040963251e5}]
“Compatibility Flags”=dword:00000400
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{88d969e6-f192-11d4-a65f-0040963251e5}]
“Compatibility Flags”=dword:00000400
Double-click the .reg file to apply it to an individual system.
Restart Internet Explorer for your changes to take effect.
Configure Internet Explorer to prompt before running Active Scripting or disable Active Scripting in the Internet and Local intranet security zone
You can help protect against this vulnerability by changing your settings to prompt before running Active Scripting or to disable Active Scripting in
the Internet and Local intranet security zone. To do this, follow these steps:
In Internet Explorer, click Internet Options on the Tools menu.
Click the Security tab.
Click Internet, and then click Custom Level.
Under Settings, in the Scripting section, under Active Scripting, click Prompt or Disable, and then click OK.
Click Local intranet, and then click Custom Level.
Under Settings, in the Scripting section, under Active Scripting, click Prompt or Disable, and then click OK.
Click OK two times to return to Internet Explorer.
Block RC4 in .NET TLS
Add a SchUseStrongCrypto DWORD value to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319
and HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319 registry keys.
From the Windows search bar, use regedit to open the Window Registry Editor.
Browse to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319.
Create a new DWORD value named: SchUseStrongCrypto
Set the value to:1
On a 64-bit version of Windows, browse to
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319
Create a new DWORD value named: SchUseStrongCrypto
Set the value to:1
open run and type regedit and press enter key follow below and add this registry for TLS/SSL Birthday attacks.
TLS/SSL Birthday attacks on 64-bit block ciphers (SWEET32)” and “TLS/SSL Server Supports 3DES Cipher Suite”
Recommended vulnerability solutions: “Disable TLS/SSL support for 3DES cipher suite.”
Actual solution: Add this registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\
right click on Ciphers and select new key and name it RC4 128/128
again right click on Ciphers and select new key and name it Triple DES 168
Now go to RC4 128/128 and right click on it and select DWORD 32 bit and name it Enabled and put the value 0 after double click on it
repeat this step again for Triple DES 168
Now close the registry and restart the computer.
Microsoft Windows Server Registry Key Configuration Missing (ADV190013)
Windows Update For Credentials Protection and Management
Microsoft Improperly Issued Digital Certificates Spoofing Vulnerability
Microsoft WinHTTP support for TLS 1.1 and TLS 1.2 Missing
Allowed Null Session
Microsoft Windows Explorer AutoPlay Not Disabled
