During a Security Audit from your Windows Server you might have discovered that it is still supporting a Diffie-Hellman primes smaller than 1024-bit which is weak (see https://weakdh.org/) and you wish to change that.
To solve that there are two options possible:
1.) You could disable Diffie-Hellman completely via:
1a.) Run Regedit on the affected server
1b.) navigate to the following Registry location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SChannel\KeyExchangeAlgorithms
1c.) Create a new sub key named Diffie-Hellman (if it didn´t already exists)
1d.) Inside that create a new DWORD called "Enabled" with the value 0
You can also use the following *.reg file:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]
"Enabled"=dword:0
1e.) Reboot the Server
2.) You can upgrade the Diffie-Hellman Prime to 2048bit (or higher if you need) as mentioned by Microsoft here.
2a.) Make sure that you have KB 3174644 installed on the affected server.
2b.) Run Regedit on the affected server
2c.) navigate to the following Registry location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SChannel\KeyExchangeAlgorithms
2d.) Create a new sub key named Diffie-Hellman (if it didn´t already exists)
2e.) Inside that create a new DWORD called "ServerMinKeyBitLength" with the value "00000800" (for 2048 bit)
You can also use the following *.reg file:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]
"ServerMinKeyBitLength"=dword:00000800
2f.) Reboot the Server
To solve that there are two options possible:
1.) You could disable Diffie-Hellman completely via:
1a.) Run Regedit on the affected server
1b.) navigate to the following Registry location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SChannel\KeyExchangeAlgorithms
1c.) Create a new sub key named Diffie-Hellman (if it didn´t already exists)
1d.) Inside that create a new DWORD called "Enabled" with the value 0
You can also use the following *.reg file:
1e.) Reboot the Server
2.) You can upgrade the Diffie-Hellman Prime to 2048bit (or higher if you need) as mentioned by Microsoft here.
2a.) Make sure that you have KB 3174644 installed on the affected server.
2b.) Run Regedit on the affected server
2c.) navigate to the following Registry location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SChannel\KeyExchangeAlgorithms
2d.) Create a new sub key named Diffie-Hellman (if it didn´t already exists)
2e.) Inside that create a new DWORD called "ServerMinKeyBitLength" with the value "00000800" (for 2048 bit)
You can also use the following *.reg file:
2f.) Reboot the Server
Kommentare (4)
Einen Kommentar verfassen
2017 - MS WindowsHardening
The Admin enclave delivers the latest news, quick tips, useful tricks, and in-depth tutorials for IT pros working with IT solutions (e.g. Microsoft Sharepoint, Microsoft Exchange, Microsoft Skype for Business, Joomla, ...).
Follow Us
Recent Posts
How to connect a Osram On/Off Plug with Phoscon/deCONZ
Freitag, 20. März 2020Update TPM Firmware on Windows 10 1909
Samstag, 15. Februar 2020Switch your PC from BIOS to UEFI
Dienstag, 07. Januar 2020WLAN 6 (AX) released
Montag, 23. September 2019Use deCONZ to perform an OTA firmware update of OSRAM devices
Samstag, 23. März 2019Popular Posts
How to fix “The program can’t start because MSVCR110.dll is missing from your computer.” error on Windows
Sonntag, 07. April 2013[RESOLVED] You do not have the permission to send the message on behalf of the specified user
Mittwoch, 16. November 2016[RESOLVED] Exchange 2013/2016 hub transport Mail.que file large in size
Donnerstag, 13. Oktober 2016[RESOLVED] The Open Procedure for service XXX in DLL "C:\Windows\System32\XXX.dll" failed. Performance data for this service will not be available. The first four bytes (DWORD) of the Data section contains the error code
Mittwoch, 08. März 2017[RESOLVED] "The client and server cannot communicate, because they do not possess a common algorithm"
Mittwoch, 13. Juli 2016