Toggle navigation

Security Hardening: Upgrade Diffie-Hellman Prime to 2048 bit on Windows Server

Articles \ Windows

During a Security Audit from your Windows Server you might have discovered that it is still supporting a Diffie-Hellman primes smaller than 1024-bit which is weak (see https://weakdh.org/) and you wish to change that.

To solve that there are two options possible:

 

1.) You could disable Diffie-Hellman completely via:

1a.) Run Regedit on the affected server

1b.) navigate to the following Registry location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SChannel\KeyExchangeAlgorithms

1c.) Create a new sub key named Diffie-Hellman (if it didn´t already exists)

1d.) Inside that create a new DWORD called "Enabled" with the value 0

You can also use the following *.reg file:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]
"Enabled"=dword:0

1e.) Reboot the Server

 

2.) You can upgrade the Diffie-Hellman Prime to 2048bit (or higher if you need) as mentioned by Microsoft here.

2a.) Make sure that you have KB 3174644 installed on the affected server.

2b.) Run Regedit on the affected server

2c.) navigate to the following Registry location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SChannel\KeyExchangeAlgorithms

2d.) Create a new sub key named Diffie-Hellman (if it didn´t already exists)

2e.) Inside that create a new DWORD called "ServerMinKeyBitLength" with the value "00000800" (for 2048 bit)

You can also use the following *.reg file:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]
"ServerMinKeyBitLength"=dword:00000800

 2f.) Reboot the Server

 

Kommentare (4)

Wolfgang
  2. #481
This comment was minimized by the moderator on the site

Anyone knows if this is supported on a Skype for Business Edge Server?

  1. Antworten
Bastian W.    Wolfgang
  2. #482
This comment was minimized by the moderator on the site

Hi Wolfgang,

welcome to my blog. I use the configuration on our large SfB environment (up to date with CU) with many thousand users and have not seen an issue. If you change the config and see an issue you can easily roll back here and restore...

Hi Wolfgang,

welcome to my blog. I use the configuration on our large SfB environment (up to date with CU) with many thousand users and have not seen an issue. If you change the config and see an issue you can easily roll back here and restore the original settings.

Weiterlesen
  1. Antworten
Ed
  2. #539
This comment was minimized by the moderator on the site

How can you determine if this has actually worked? The penetration test was performed by an outside party so i don't have access to the tool they used.

  1. Antworten
During a Security Audit from your Windows Server you might have discovered that it is still supporting a Diffie-Hellman primes smaller than 1024-bit which is weak (see https://weakdh.org/) and you wish to change that.

To solve that there are two options possible:

 

1.) You could disable Diffie-Hellman completely via:

1a.) Run Regedit on the affected server

1b.) navigate to the following Registry location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SChannel\KeyExchangeAlgorithms

1c.) Create a new sub key named Diffie-Hellman (if it didn´t already exists)

1d.) Inside that create a new DWORD called "Enabled" with the value 0

You can also use the following *.reg file:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]
"Enabled"=dword:0

1e.) Reboot the Server

 

2.) You can upgrade the Diffie-Hellman Prime to 2048bit (or higher if you need) as mentioned by Microsoft here.

2a.) Make sure that you have KB 3174644 installed on the affected server.

2b.) Run Regedit on the affected server

2c.) navigate to the following Registry location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SChannel\KeyExchangeAlgorithms

2d.) Create a new sub key named Diffie-Hellman (if it didn´t already exists)

2e.) Inside that create a new DWORD called "ServerMinKeyBitLength" with the value "00000800" (for 2048 bit)

You can also use the following *.reg file:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]
"ServerMinKeyBitLength"=dword:00000800

 2f.) Reboot the Server

 

Kommentare (4)

Wolfgang
  2. #481
This comment was minimized by the moderator on the site

Anyone knows if this is supported on a Skype for Business Edge Server?

  1. Antworten
Bastian W.    Wolfgang
  2. #482
This comment was minimized by the moderator on the site

Hi Wolfgang,

welcome to my blog. I use the configuration on our large SfB environment (up to date with CU) with many thousand users and have not seen an issue. If you change the config and see an issue you can easily roll back here and restore...

Hi Wolfgang,

welcome to my blog. I use the configuration on our large SfB environment (up to date with CU) with many thousand users and have not seen an issue. If you change the config and see an issue you can easily roll back here and restore the original settings.

Weiterlesen
  1. Antworten
Ed
  2. #539
This comment was minimized by the moderator on the site

How can you determine if this has actually worked? The penetration test was performed by an outside party so i don't have access to the tool they used.

  1. Antworten
Bastian W.    Ed
  2. #540
This comment was minimized by the moderator on the site

You can use nMap to check that (see here: https://www.admin-enclave.com/en/articles/windows/167-use-nmap-to-check-used-ssl-tls-protocol-and-ciphers.html)

  1. Antworten
There are no comments posted here yet

Einen Kommentar verfassen

  1. Posting comment as a guest.
Anhänge (0 / 3)
Share Your Location