Easy2Patch v4.0
Easy2Patch v4.0
  • Infrastructure Documents
  • Overview
    • What is Easy2Patch?
    • Request a new 3rd Party Applications
    • FAQs
    • Road Map
    • Release Notes
    • Version Compare
    • Licensing
  • Planning
    • POC Requirements for Easy2Patch 3.1
    • POC Requirements for Easy2Patch 4.0 Web Edition
    • Supported Configurations
    • Windows Operating System Requirements
    • SQL Server Requirements
    • Other Requirements
    • Network Considerations
    • Antivirus Exclusion List for Easy2PatchV3
    • Design
      • Update & Application & Intune (Server Deployment)
      • Standalone WSUS Deployment
      • Standalone Intune Deployment
  • Deployment
    • Installing WSUS Console
    • Installing SCCM Admin Console
    • Installing IIS Component for Easy2Patch 4.0
    • Configuring Intune Application Registration
    • Getting Code-Signing Certificate
    • Installing Easy2Patch 3.1
      • Upgrading to Easy2Patch 3.1.10
      • Licensing Easy2Patch 3.1
    • Installing Easy2Patch 4.0
      • Upgrading Easy2Patch 4.0
      • Easy2Patch Backup & Restore
      • Licensing Easy2Patch 4.0
  • Configuring
    • SSL Configuration in WSUS for 3rd Party Update
    • Configuring ConfigMgr for 3rd Party Updates
    • Easy2Patch 3.1 Settings
      • General
        • Certificate Management
        • Backup Settings
          • Restore Easy2Patch 3.x
        • General Settings
        • Application Deployment
        • Intune Deployment
        • Maintenance
      • Notification
        • E-Mail
        • Telegram
          • Creating a Telegram Bot
          • Telegram Chat ID
      • SCCM / WSUS / INTUNE
        • WSUS Settings
        • SCCM Settings
        • Database Settings
        • Intune Settings
      • Proxy
    • Easy2Patch 4.0 Settings
      • Migrate from Easy2Patch 3.x
      • General Settings
        • General
        • Identity
          • Active Directory
          • EntraID
            • Required Permissions for EntraID
        • Proxy
        • Log
        • Maintenance
        • Login
      • Deployment Settings
        • Process Conflict
        • Update
        • Application Deployment
        • Intune Deployment
        • Defender
      • Connection Settings
        • Database
        • SCCM
        • WSUS
        • Intune
      • Managements
        • Role
        • License
        • Certificate Management
      • Alert Settings
        • Notification
          • E-Mail
          • Telegram
            • Creating a Telegram Bot
            • Telegram Chat ID
            • Telegram Setting
        • Alerts
        • Recipients
  • Managing Easy2Patch
    • Easy2Patch 3.1
      • Update
      • Application Deployment
      • Intune Update
      • Intune Application
      • License Management
    • Easy2Patch 4.0
      • Dashboard
        • WSUS
        • SCCM
        • Intune
      • Update
        • Application Custom Settings
        • WSUS Maintenance
        • Side Menu
      • Application
        • Application Deployment Right Click Menu
        • Application Custom Settings
        • SCCM Maintenance
        • Side Menu
      • Intune Update
        • Intune Update Right Click Menu
        • Application Custom Settings
        • Intune Maintenance
        • Side Menu
      • Intune Application
        • Intune Application Right Click Menu
        • Application Custom Settings
        • Intune Maintenance
        • Side Menu
      • CVE List
      • Schedule
      • Reporting
        • Update Status
  • Troubleshooting
    • Schema files not found!
    • Failed to sign package
    • Fixing 500.19 web.config error
    • Securing Windows Server
Powered by GitBook
On this page
  • TLS Security
  • Remove unwanted headers
  • web.config File Recomendations

Was this helpful?

  1. Troubleshooting

Securing Windows Server

PreviousFixing 500.19 web.config error

Last updated 5 months ago

Was this helpful?

TLS Security

For increase TLS security you should add following registry keys to your SessionLimit Windows Server.

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168" /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168" /v Enabled /d 0 /t REG_DWORD /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168" /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168" /v Enabled /d 0 /t REG_DWORD /f

#Enable .NET Security for v2
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /v SystemDefaultTlsVersions /d 1 /t REG_DWORD /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /v SchUseStrongCrypto /d 1 /t REG_DWORD /f


#Enable .NET Security for v4
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /v SystemDefaultTlsVersions /d 1 /t REG_DWORD /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /v SchUseStrongCrypto /d 1 /t REG_DWORD /f

#Enable .NET Security for v2 x86 architecture
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727" /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727" /v SystemDefaultTlsVersions /d 1 /t REG_DWORD /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727" /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727" /v SchUseStrongCrypto /d 1 /t REG_DWORD /f

#Enable .NET Security for v4 x86 architecture
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319" /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319" /v SystemDefaultTlsVersions /d 1 /t REG_DWORD /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319" /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319" /v SchUseStrongCrypto /d 1 /t REG_DWORD /f

#TLS 1.2
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" /v DisabledByDefault /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" /v Enabled /t REG_DWORD /d 1 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" /v DisabledByDefault /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" /v Enabled /t REG_DWORD /d 1 /f

#TLS 1.3 (Supports in Windows 11 & Windows Server 2022)
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\HTTP\Parameters" /v EnableHttp3 /t REG_DWORD /d 1 /f

#Disable Old TLS Versions
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" /v Enabled /t REG_DWORD /d 0 /f 
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" /v DisabledByDefault /t REG_DWORD /d 1 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" /v Enabled /t REG_DWORD /d 0 /f 
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" /v DisabledByDefault /t REG_DWORD /d 1 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /v Enabled /t REG_DWORD /d 0 /f 
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /v DisabledByDefault /t REG_DWORD /d 1 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" /v Enabled /t REG_DWORD /d 0 /f 
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" /v DisabledByDefault /t REG_DWORD /d 1 /f

Remove unwanted headers

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters" /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters" /v DisableServerHeader /d 1 /t REG_DWORD /f

web.config File Recomendations

With the custom headers section you can prevent Clickjacking and Content Security Policy attacks.

<?xml version="1.0" encoding="utf-8"?>
<configuration>
<!---
Other Web.config Content
---->
    <system.webServer>
        <httpProtocol>
            <customHeaders>
                <remove name="Content-Security-Policy" />
                <add name="X-Frame-Options" value="SAMEORIGIN" />
                <add name="Content-Security-Policy" value="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'" />
            </customHeaders>
        </httpProtocol>
    </system.webServer>
</configuration>
TLS 1.2 Öncesi Protokollerin Güvenlik Açıkları ve TLS 1.2/1.3 Önemi