[Gelöst] CVE-2024-21410 | Enabling Extended Protection --> Test Failed: SchUseStrongCrypto is not configured as expected

Exchange Server 2019

Letzter Beitrag von NorbertFe Vor 5 Monaten

3 Beiträge

2 Benutzer

1 Reactions

2,523 Ansichten

RSS

Prof Hase

(@prof-hase)

Active Member

Beigetreten: Vor 4 Jahren

Beiträge: 5

Themenstarter 19. Februar 2024 08:45

Guten Morgen zusammen,

ich bekomme beim Versuch Extended Protection auf einem Exchange 2019 unter Server 2022 ohne DAG folgenden Fehler:

[PS] C:\ExchangeExtendedProtectionManagement.ps1
Version 24.02.13.1755

Enabling Extended Protection
Extended Protection is recommended to be enabled for security reasons. Known Issues: Following scenarios will not work when Extended Protection is enabled.
    - SSL offloading or SSL termination via Layer 7 load balancing.
    - Exchange Hybrid Features if using Modern Hybrid.
    - Access to Public folders on Exchange 2013 Servers.
You can find more information on:  https://aka.ms/ExchangeEPDoc.  Do you want to proceed?
[J] Ja  [A] Ja, alle  [N] Nein  [K] Nein, keine  [H] Anhalten  [?] Hilfe (Standard ist "J"): a

The following servers have the TLS Configuration below
SERVERNAME

RegistryName        Location                                                                              Value
------------        --------                                                                              -----
SchUseStrongCrypto  SOFTWARE\Microsoft\.NETFramework\v2.0.50727
SystemTlsVersions   SOFTWARE\Microsoft\.NETFramework\v2.0.50727
SchUseStrongCrypto  SOFTWARE\Microsoft\.NETFramework\v4.0.30319
SystemTlsVersions   SOFTWARE\Microsoft\.NETFramework\v4.0.30319                                           1
SchUseStrongCrypto  SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727
SystemTlsVersions   SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727
SchUseStrongCrypto  SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319
SystemTlsVersions   SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319                               1
DisabledByDefault   SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client  1
Enabled             SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client  0
DisabledByDefault   SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server  1
Enabled             SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server  0
DisabledByDefault   SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client  1
Enabled             SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client  0
DisabledByDefault   SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server  1
Enabled             SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server  0
DisabledByDefault   SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client  0
Enabled             SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client  1
DisabledByDefault   SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server  0
Enabled             SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server  1

Test Failed: SchUseStrongCrypto is not configured as expected
System affected: SERVERNAME
Action required: Configure SchUseStrongCrypto for NETv4 as described here:  https://aka.ms/ExchangeEPDoc 

WARNUNG: Failed to pass the TLS prerequisites for the servers you are trying to enable Extended Protection. Unable to continue.

Servers trying to enable: SERVERNAME
Do you have feedback regarding the script? Please email ExToolsFeedback@microsoft.com.

Zitat

Prof Hase

(@prof-hase)

Active Member

Beigetreten: Vor 4 Jahren

Beiträge: 5

Themenstarter 21. Februar 2024 09:20

Und hier die Lösung ;)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727] "SystemDefaultTlsVersions" = dword:00000001 "SchUseStrongCrypto" = dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] "SystemDefaultTlsVersions" = dword:00000001 "SchUseStrongCrypto" = dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727] "SystemDefaultTlsVersions" = dword:00000001 "SchUseStrongCrypto" = dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319] "SystemDefaultTlsVersions" = dword:00000001 "SchUseStrongCrypto" = dword:00000001

AntwortZitat

NorbertFe

(@norbertfe)

Noble Member

Beigetreten: Vor 4 Jahren

Beiträge: 1503

21. Februar 2024 10:33

Veröffentlicht von: @prof-hase

↑

Und hier die Lösung ;)

Test Failed: SchUseStrongCrypto is not configured as expected
System affected: SERVERNAME
Action required: Configure SchUseStrongCrypto for NETv4 as described here:

https://aka.ms/ExchangeEPDoc und der verweist auf

Refer to this Exchange Server TLS configuration best practices guide to configure the required TLS settings on your Exchange servers. ;)

Und der zeigt dann u.a.:

Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" -Name "SystemDefaultTlsVersions" -Value 1 -Type DWord
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" -Name "SchUseStrongCrypto" -Value 1 -Type DWord
Set-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319" -Name "SystemDefaultTlsVersions" -Value 1 -Type DWord
Set-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319" -Name "SchUseStrongCrypto" -Value 1 -Type DWord

Prof Hase reacted

AntwortZitat

Forum Icons: Das Forum enthält keine ungelesenen Beiträge Das Forum enthält ungelesene Beiträge

Themen-Icons: Unbeantwortet Beantwortet Aktiv Heiß Oben angepinnt Nicht genehmigt Gelöst Privat Geschlossen