ARKSSPR 2.0
  • ARKSSPR
    • Overview
      • What is ARKSSPR
      • FAQs
      • Road-Map
      • Licensing
    • Planning
      • POC Requirements
      • Supported Configurations
      • Windows Server Requirements
      • SQL Server Requirements
      • Network Requirements
      • Design
    • Deployment
      • Active Directory Rights
      • DNS Service Record for Agent Autodiscovery
      • HTTPS Certificate
      • ARKSSPR Internal Installation
        • Installing Microsoft SQL Server
        • Internet Information Service Installation
        • .NET Core 6.0 Download and Install
        • .Net Framework 4.7.2 Download and Install
        • Installation
        • First Time Wizard
        • IIS Configuration
        • Initial Configuration
      • ARKSSPR DMZ Installation
        • Internet Information Service Installation
        • .NET Core 6.0 Download and Install
        • Installing ARKSSPR DMZ Installation
        • IIS Configuration
        • Initial Configuration
    • Administration
      • Login
        • Root Account
      • Password Reset
      • Unlock Account
      • My Account
        • Change Password
        • Secondary E-Mail
        • Validation Type
        • Authenticator Definition
      • Report Management
        • Reports
        • Report Schedule
      • Role Management
      • Settings
        • General Settings
          • Server Settings
          • LDAP Settings
          • E-Mail Settings
          • SMS Settings
          • Syslog Settings
          • Ticket Settings
        • Login Settings
          • General Settings
          • Captcha Settings
          • Validation Settings
        • User Settings
          • Authenticator Management
        • Policy Settings
          • Password Settings
          • Policy Settings
        • Portal Settings
      • License Management
        • Offline License
        • Online License
      • Log Management
      • Screen Management
      • Ticket Management
    • Troubleshooting
      • UserTokenTTL
      • Securing Windows Server
Powered by GitBook
On this page
  • TLS Security
  • Remove unwanted headers
  • web.config File Recomendations

Was this helpful?

  1. ARKSSPR
  2. Troubleshooting

Securing Windows Server

TLS Security

For increase TLS security you should add following registry keys to your SessionLimit Windows Server.

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168" /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168" /v Enabled /d 0 /t REG_DWORD /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168" /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168" /v Enabled /d 0 /t REG_DWORD /f

REM Enable .NET Security for v2
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /v SystemDefaultTlsVersions /d 1 /t REG_DWORD /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727" /v SchUseStrongCrypto /d 1 /t REG_DWORD /f


REM Enable .NET Security for v4
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /v SystemDefaultTlsVersions /d 1 /t REG_DWORD /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /v SchUseStrongCrypto /d 1 /t REG_DWORD /f

REM Enable .NET Security for v2 x86 architecture
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727" /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727" /v SystemDefaultTlsVersions /d 1 /t REG_DWORD /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727" /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727" /v SchUseStrongCrypto /d 1 /t REG_DWORD /f

REM Enable .NET Security for v4 x86 architecture
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319" /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319" /v SystemDefaultTlsVersions /d 1 /t REG_DWORD /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319" /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319" /v SchUseStrongCrypto /d 1 /t REG_DWORD /f

REM TLS 1.2
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" /v DisabledByDefault /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" /v Enabled /t REG_DWORD /d 1 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" /v DisabledByDefault /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" /v Enabled /t REG_DWORD /d 1 /f

REM TLS 1.3 (Supports in Windows 11 & Windows Server 2022)
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\HTTP\Parameters" /v EnableHttp3 /t REG_DWORD /d 1 /f

REM Disable Old TLS Versions
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" /v Enabled /t REG_DWORD /d 0 /f 
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" /v DisabledByDefault /t REG_DWORD /d 1 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" /v Enabled /t REG_DWORD /d 0 /f 
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" /v DisabledByDefault /t REG_DWORD /d 1 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /v Enabled /t REG_DWORD /d 0 /f 
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /v DisabledByDefault /t REG_DWORD /d 1 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" /v Enabled /t REG_DWORD /d 0 /f 
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" /v DisabledByDefault /t REG_DWORD /d 1 /f

Remove unwanted headers

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters" /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters" /v DisableServerHeader /d 1 /t REG_DWORD /f

web.config File Recomendations

With the custom headers section you can prevent Clickjacking and Content Security Policy attacks.

<?xml version="1.0" encoding="utf-8"?>
<configuration>
<!---
Other Web.config Content
---->
    <system.webServer>
        <httpProtocol>
            <customHeaders>
                <remove name="Content-Security-Policy" />
                <add name="X-Frame-Options" value="SAMEORIGIN" />
                <add name="Content-Security-Policy" value="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'" />
                <add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains; preload" />
            </customHeaders>
        </httpProtocol>
    </system.webServer>
</configuration>
PreviousUserTokenTTL

Last updated 8 months ago

Was this helpful?