Group Policy Template for Schannel

Maintainers Wanted!

I no longer maintain Windows servers for my job, so this may be out of date. If you notice something that needs to be updated, please submit an issue or a pull request! I can only rely on others to keep this project relevant and updated, and if you'd like to help out (and have a Windows environment in which you could test pull requests!), let me know and I can add you to this repo. Thanks!

What Is This?

I really like Nartac Software's IIS Crypto tool for configuring protocols, ciphers, hashes and key exchange algorithms on Windows. However, since the tool simply makes changes to the local machine's registry it still requires a bit of work if you want to roll out these changes to multiple machines. Sure, you could use IIS Crypto on a single machine, export the registry keys, then import them via a startup script GPO, but I wanted a more Group Policy-integrated way to enable or disable things. So I created an administrative template for Group Policy to do just that.

What Does it Do?

This template simply twiddles values under the registry key HKLM\CurrentControlSet\Control\SecurityProviders\Schannel.

Note that since that key does not reside under the Policies key, using this template will "tattoo" the settings onto the registry. In other words, removing the policy will not revert these settings to their previous values.

Installation

From MSDN's Managing Group Policy ADMX Files Step-by-Step Guide, there are two ways to install custom administrative templates.

Local Installation

• Copy the language-neutral ADMX file(s) to %SYSTEMROOT%\PolicyDefinitions.
• Copy the language-specific ADML file(s) to %SYSTEMROOT%\PolicyDefinitions\[MUIculture] (for example, the U.S. English ADMX language specific file will be stored in %SYSTEMROOT%\policyDefinitions\en-us.)

You will then be able to use the template on your local workstation to create and edit local or domain policies, but the template will not be available to other administrators. A better option is to install the template files in the domain's central store.

Installation in the Central Store

To make the template available automatically to all Group Policy administrators in a domain, perform the following on a domain controller:

• Copy the language-neutral ADMX file(s) to %SYSTEMROOT%\sysvol\domain\policies\PolicyDefinitions.
• Copy the language-specific ADML file(s) to %SYSTEMROOT%\sysvol\domain\policies\PolicyDefinitions\[MUIculture] (for example, the U.S. English ADMX language specific file will be stored in %SYSTEMROOT%\sysvol\domain\policies\PolicyDefinitions\en-us.)

Usage

The new policy settings are located in the same place one would normally configure the SSL Cipher Suite order; namely:

Computer Configuration/Administrative Templates/Network/SSL Configuration

Screenshot:

Available Policy Settings

Any of the following ciphers, hash algorithms, or key exchange algorithms can be enabled or disabled globally. The protocols can be independently configured for both client and server use. Note that changes to the ciphers and hashes (and presumably, to the key exchange algorithms) will take effect immediately when the group policy is applied. Changes to protocols require a restart of the computer.

Ciphers

• AES 128/128
• AES 256/256

Ciphers\Weak Ciphers

• NULL
• DES 56/56
• RC2 40/128
• RC2 56/128
• RC2 128/128
• RC4 40/128
• RC4 56/128
• RC4 64/128
• RC4 128/128
• Triple DES 168

Hash Algorithms

• SHA-256
• SHA-384
• SHA-512

Hash Algorithms\Weak Hash Algorithms

• MD5
• SHA (also called "SHA-1")

Key Exchange Algorithms

• PKCS
• Elliptic-Curve Diffie-Hellman (ECDH)

Key Exchange Algorithms\Weak Key Exchange Algorithms

• Diffie-Hellman (DH)

Protocols

• TLS 1.3
• TLS 1.2
• DTLS 1.2
• DTLS 1.0

Protocols\Weak Protocols

• Multi-Protocol Unified Hello
• PCT 1.0
• SSL 2.0
• SSL 3.0
• TLS 1.0
• TLS 1.1

Cipher Suite Order

Setting the cipher suite order (the second half of IIS Crypto) for Windows involves configuring a Microsoft-delivered group policy setting. See Prioritizing Schannel Cipher Suites for more information. (Note this line on that page, however: "The list of cipher suites is limited to 1023 characters." So you can't go nuts with this GPO like you can if you set the registry key outright, but the GPO is certainly easier to deploy.) There are a few ways you can build your cipher suite list.

• Use IIS Crypto as a guide. Start the tool, click the "Best Practices" button, and copy down what it gives you.
• Use Steve Gibson's list. Just copy that list, remove the line breaks, and paste it into the GPO setting.
• Roll your own.

Once you've got your list, add it to your GPO and roll it out!

Resources

• SSL Labs' SSL/TLS Deployment Best Practices
• TLS Cipher Suites in Windows Server 2003 and XP
• SSL Cipher Suites in Windows Server 2003 and XP
• Schannel Cipher Suites in Windows Server 2008 and Vista
• Schannel Cipher Suites in Windows Server 2008 R2 and above
• Microsoft TLS 1.3 Support Reference
• How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll
• Managing Group Policy ADMX Files Step-by-Step Guide
• Transport Layer Security (TLS) registry settings
• Transport Layer Security (TLS) best practices with .NET Framework