SchUseStrongCrypto must be enabled.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-259577 | EX19-ED-000006 | SV-259577r960759_rule | CCI-000068 | medium |
| Description | ||||
| Exchange Server 2019 is configured by default with TLS 1.2. However, SchUseStrongCrypto is not set by default and must be configured to meet the TLS requirement. The strong cryptography (configured by the SchUseStrongCrypto registry value) uses more secure network protocols (TLS 1.2, TLS 1.1, and TLS 1.0) and blocks protocols that are not secure. SchUseStrongCrypto affects only client (outgoing) connections in the application. | ||||
| STIG | Date | |||
| Microsoft Exchange 2019 Edge Server Security Technical Implementation Guide | 2024-12-06 | |||
Related Frameworks
3 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
AC-17(2)
1.00
- DISA · V2R2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1711 mapping
3.1.13
1.00
- DISA · V2R2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000068
1.00
- DISA · V2R2 · disa_xccdf · related
Details
Check Text (C-259577r960759_chk)
In a PowerShell window, run the following commands:
Get-ItemProperty HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319
If the value "SchUseStrongCrypto" is not present and set to 1, this is a finding.
Fix Text (F-63224r942044_fix)
In a PowerShell window with elevated privileges, run the following commands:
reg add HKLM\SOFTWARE\Microsoft\.NetFramework\v4.0.30319 /v "SchUseStrongCrypto" /t REG_DWORD /d 1
reg add HKLM\SOFTWARE\WoW6432Node\Microsoft\.NetFramework\v4.0.30319 /v "SchUseStrongCrypto" /t REG_DWORD /d 1
This will create the value within the necessary key and set the data to 1.