CVE-2024-21410 | En...
 
Benachrichtigungen
Alles löschen

[Gelöst] CVE-2024-21410 | Enabling Extended Protection --> Test Failed: SchUseStrongCrypto is not configured as expected

3 Beiträge
2 Benutzer
1 Likes
1,524 Ansichten
(@prof-hase)
Active Member
Beigetreten: Vor 4 Jahren
Beiträge: 5
Themenstarter  

Guten Morgen zusammen, 

ich bekomme beim Versuch Extended Protection auf einem Exchange 2019 unter Server 2022 ohne DAG folgenden Fehler: 

[PS] C:\ExchangeExtendedProtectionManagement.ps1
Version 24.02.13.1755

Enabling Extended Protection
Extended Protection is recommended to be enabled for security reasons. Known Issues: Following scenarios will not work when Extended Protection is enabled.
    - SSL offloading or SSL termination via Layer 7 load balancing.
    - Exchange Hybrid Features if using Modern Hybrid.
    - Access to Public folders on Exchange 2013 Servers.
You can find more information on:  https://aka.ms/ExchangeEPDoc.  Do you want to proceed?
[J] Ja  [A] Ja, alle  [N] Nein  [K] Nein, keine  [H] Anhalten  [?] Hilfe (Standard ist "J"): a

The following servers have the TLS Configuration below
SERVERNAME

RegistryName        Location                                                                              Value
------------        --------                                                                              -----
SchUseStrongCrypto  SOFTWARE\Microsoft\.NETFramework\v2.0.50727
SystemTlsVersions   SOFTWARE\Microsoft\.NETFramework\v2.0.50727
SchUseStrongCrypto  SOFTWARE\Microsoft\.NETFramework\v4.0.30319
SystemTlsVersions   SOFTWARE\Microsoft\.NETFramework\v4.0.30319                                           1
SchUseStrongCrypto  SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727
SystemTlsVersions   SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727
SchUseStrongCrypto  SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319
SystemTlsVersions   SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319                               1
DisabledByDefault   SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client  1
Enabled             SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client  0
DisabledByDefault   SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server  1
Enabled             SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server  0
DisabledByDefault   SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client  1
Enabled             SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client  0
DisabledByDefault   SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server  1
Enabled             SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server  0
DisabledByDefault   SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client  0
Enabled             SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client  1
DisabledByDefault   SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server  0
Enabled             SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server  1

Test Failed: SchUseStrongCrypto is not configured as expected
System affected: SERVERNAME
Action required: Configure SchUseStrongCrypto for NETv4 as described here:  https://aka.ms/ExchangeEPDoc 

WARNUNG: Failed to pass the TLS prerequisites for the servers you are trying to enable Extended Protection. Unable to continue.

Servers trying to enable: SERVERNAME
Do you have feedback regarding the script? Please email ExToolsFeedback@microsoft.com.

   
Zitat
(@prof-hase)
Active Member
Beigetreten: Vor 4 Jahren
Beiträge: 5
Themenstarter  

Und hier die Lösung ;) 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727] "SystemDefaultTlsVersions" = dword:00000001 "SchUseStrongCrypto" = dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] "SystemDefaultTlsVersions" = dword:00000001 "SchUseStrongCrypto" = dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727] "SystemDefaultTlsVersions" = dword:00000001 "SchUseStrongCrypto" = dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319] "SystemDefaultTlsVersions" = dword:00000001 "SchUseStrongCrypto" = dword:00000001


   
AntwortZitat

NorbertFe
(@norbertfe)
Noble Member
Beigetreten: Vor 3 Jahren
Beiträge: 1446
 

Veröffentlicht von: @prof-hase

Und hier die Lösung ;) 

 

Test Failed: SchUseStrongCrypto is not configured as expected
System affected: SERVERNAME
Action required: Configure SchUseStrongCrypto for NETv4 as described here:  

https://aka.ms/ExchangeEPDoc und der verweist auf 

Refer to this Exchange Server TLS configuration best practices guide to configure the required TLS settings on your Exchange servers. ;)

Und der zeigt dann u.a.:

 

Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" -Name "SystemDefaultTlsVersions" -Value 1 -Type DWord
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" -Name "SchUseStrongCrypto" -Value 1 -Type DWord
Set-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319" -Name "SystemDefaultTlsVersions" -Value 1 -Type DWord
Set-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319" -Name "SchUseStrongCrypto" -Value 1 -Type DWord

   
Prof Hase reacted
AntwortZitat
Teilen: