How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dll (245030)


The information in this article applies to:

  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Server 2003, Web Edition
  • Microsoft Windows XP Professional
  • Microsoft Windows XP Home Edition
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional
  • Microsoft Internet Explorer 5.5 for Windows NT 4.0
  • Microsoft Internet Explorer 5.01 for Windows NT 4.0
  • Microsoft Internet Explorer 5.0 for Windows NT 4.0
  • Microsoft Windows NT Server 4.0
  • Microsoft Windows NT Server, Enterprise Edition 4.0
  • Microsoft Windows NT Workstation 4.0
This article was previously published under Q245030
IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry

SUMMARY

This article describes how to restrict the use of certain cryptographic algorithms and protocols in the Schannel.dll file.

This information also applies to Independent Software Vendor (ISV) applications written for the Microsoft Cryptographic API.

MORE INFORMATION

The following Crypto Service Providers (CSPs) included with Windows NT 4.0 Service Pack 6 have been awarded the certificates for FIPS-140-1 crypto validation:
  • Microsoft Base Cryptographic Provider (Rsabase.dll)
  • Microsoft Enhanced Cryptographic Provider (Rsaenh.dll) [non-export version]
Microsoft TLS/SSL Security Provider, the Schannel.dll file, uses the CSPs listed above to conduct secure communications over SSL or TLS in its support for Microsoft Internet Explorer and Internet Information Server (IIS).

You can modify the Schannel.dll file to support Cipher Suite 1 and 2, but the program must also support Cipher Suite 1 and 2. Cipher Suite 1 and 2 are not supported in IIS 4.0 and 5.0.

This article provides the necessary information to configure the Windows NT 4.0 Service Pack 6 and later TLS/SSL Security Provider. You can use the Windows registry to control the use of specific SSL 3.0 or TLS 1.0 cipher suites respect to the cryptographic algorithms supported by Microsoft Base or Enhanced Cryptographic Provider.

NOTE: In Windows NT 4.0 Service Pack 6, the Schannel.dll file does not use the Microsoft Base DSS Cryptographic Provider (Dssbase.dll) or the Microsoft DS/Diffie-Hellman Enhanced Cryptographic Provider (Dssenh.dll).

Cipher Suites

Both SSL 3.0 (http://home.netscape.com/eng/ssl3/draft302.txt), and TLS 1.0 (RFC2246) with INTERNET-DRAFT "56-bit Export Cipher Suites For TLS draft-ietf-tls-56-bit-ciphersuites-00.txt" provide options to use different cipher suites. Each cipher suite determines the key exchange, authentication, encryption, and MAC algorithms used within a SSL/TLS session. Note that when you use RSA as both key exchange and authentication algorithms, the term RSA appears only once in the corresponding cipher suite definitions.

The Windows NT 4.0 Service Pack 6 Microsoft TLS/SSL Security Provider supports the following "CipherSuite" defined in SSL 3.0 when you use the Microsoft Base or Enhanced Cryptographic Provider:
SSL_RSA_EXPORT_WITH_RC4_40_MD5{ 0x00,0x03 }
SSL_RSA_WITH_RC4_128_MD5{ 0x00,0x04 }
SSL_RSA_WITH_RC4_128_SHA{ 0x00,0x05 }
SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5{ 0x00,0x06 }
SSL_RSA_WITH_DES_CBC_SHA{ 0x00,0x09 }
SSL_RSA_WITH_3DES_EDE_CBC_SHA{ 0x00,0x0A }
SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA{ 0x00,0x62 }
SSL_RSA_EXPORT1024_WITH_RC4_56_SHA{ 0x00,0x64 }
NOTE: Neither SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA nor SSL_RSA_EXPORT1024_WITH_RC4_56_SHA is defined in SSL 3.0 text. However, a number of SSL 3.0 vendors, including Microsoft, support them.

Windows NT 4.0 Service Pack 6 Microsoft TLS/SSL Security Provider also supports the following "CipherSuite" defined in TLS 1.0 when using Microsoft Base or Enhanced Cryptographic Provider:

TLS_RSA_EXPORT_WITH_RC4_40_MD5{ 0x00,0x03 }
TLS_RSA_WITH_RC4_128_MD5{ 0x00,0x04 }
TLS_RSA_WITH_RC4_128_SHA{ 0x00,0x05 }
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5{ 0x00,0x06 }
TLS_RSA_WITH_DES_CBC_SHA{ 0x00,0x09 }
TLS_RSA_WITH_3DES_EDE_CBC_SHA{ 0x00,0x0A }
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA{ 0x00,0x62 }
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA{ 0x00,0x64 }
NOTE: A cipher suite defined with the first byte "0x00" is non-private and is used for open interoperable communications. As such, the Windows NT 4.0 Service Pack 6 Microsoft TLS/SSL Security Provider follows the procedures for using these cipher suites as specified in SSL 3.0 and TLS 1.0 specifications to ensure interoperability.

Schannel Specific Registry Keys

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

SCHANNEL Key

Start Registry Editor (Regedt32.exe), and locate the following key in the registry.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

SCHANNEL\Protocols SubKey

The Protocols registry key under the SCHANNEL key is used to control the use of protocols supported by the Schannel.dll file and to restrict the protocols use to the TLS server or TLS client.

To prohibit the use of the protocols other than SSL 3.0 or TLS 1.0, change the DWORD value data of the Enabled value to 0x0 in each of the following registry keys under the Protocols key:
  • SCHANNEL\Protocols\PCT 1.0\Client
  • SCHANNEL\Protocols\PCT 1.0\Server
  • SCHANNEL\Protocols\SSL 2.0\Client
  • SCHANNEL\Protocols\SSL 2.0\Server
WARNING: The Microsoft Message Queue currently uses only PCT 1.0 between clients and servers. If you disable PCT 1.0, MSMQ does not function correctly.

WARNING: The Enabled value in the registry keys under the Protocols key take precedence over the grbitEnabledProtocols value defined in the SCHANNEL_CRED structure containing the data for an Schannel credential. The default behavior is enabled if you do not configure the Enabled value.

SCHANNEL\Ciphers Subkey

The Ciphers registry key under the SCHANNEL key is used to control the use of symmetric algorithms such as DES or RC4. The following are valid registry keys under the Ciphers key.

SCHANNEL\Ciphers\RC4 128/128 Subkey:

RC4 128/128

This subkey refers to 128-bit RC4.

To allow this cipher algorithm, change the DWORD value data of the Enabled value to 0xffffffff, otherwise change the DWORD value data to 0x0. If you do not configure the Enabled value, the default is enabled. This registry key does not apply to an exportable server that does not possess an SGC certificate.

Disabling this algorithm effectively disallows:
  • SSL_RSA_WITH_RC4_128_MD5
  • SSL_RSA_WITH_RC4_128_SHA
  • TLS_RSA_WITH_RC4_128_MD5
  • TLS_RSA_WITH_RC4_128_SHA
SCHANNEL\Ciphers\Triple DES 128/128 Subkey:

Triple DES 168/168

This registry key refers to 168-bit Triple DES as specified in ANSI X9.52 and Draft FIPS 46-3. This registry key does not apply to the export version.

To allow this cipher algorithm, change the DWORD value data of the Enabled value to 0xffffffff, otherwise change the DWORD data to 0x0. If you do not configure the Enabled value, the default is enabled.

Disabling this algorithm effectively disallows:
  • SSL_RSA_WITH_3DES_EDE_CBC_SHA
  • SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
  • TLS_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
SCHANNEL\Ciphers\RC2 128/128 Subkey:

RC2 128/128

This registry key refers to 128-bit RC2. It does not apply to the export version.

To allow this cipher algorithm, change the DWORD value data of the Enabled value to 0xffffffff, otherwise change the DWORD value data to 0x0. If you do not configure the Enabled value, the default is enabled.

SCHANNEL\Ciphers\RC4 64/128 Subkey:

RC4 64/128

This registry key refers to 64-bit RC4. It does not apply to the export version (but is used in Microsoft Money).

To allow this cipher algorithm, change the DWORD value data of the Enabled value to 0xffffffff, otherwise change the DWORD value data to 0x0. If you do not configure the Enabled value, the default is enabled.

SCHANNEL\Ciphers\RC4 56/128 Subkey:

RC4 56/128

This registry key refers to 56-bit RC4.

To allow this cipher algorithm, change the DWORD value data of the Enabled value to 0xffffffff, otherwise change the DWORD value data to 0x0. If you do not configure the Enabled value, the default is enabled.

Disabling this algorithm effectively disallows:
  • TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
SCHANNEL\Ciphers\RC2 56/128 Subkey:

RC2 56/128

This registry key refers to 56-bit RC2.

To allow this cipher algorithm, change the DWORD value data of the Enabled value to 0xffffffff, otherwise change the DWORD value data to 0x0. If you do not configure the Enabled value, the default is enabled.

SCHANNEL\Ciphers\RC2 56/56 Subkey:

DES 56/56

This registry key refers to 56-bit DES as specified in FIPS 46-2. Its implementation in the Rsabase.dll and Rsaenh.dll files has been validated under the FIPS 140-1 Cryptographic Module Validation Program.

To allow this cipher algorithm, change the DWORD value data of the Enabled value to 0xffffffff, otherwise change the DWORD value data to 0x0. If you do not configure the Enabled value, the default is enabled.

Disabling this algorithm effectively disallows:
  • SSL_RSA_WITH_DES_CBC_SHA
  • TLS_RSA_WITH_DES_CBC_SHA
SCHANNEL\Ciphers\RC4 40/128 Subkey:

RC4 40/128

This refers to 40-bit RC4.

To allow this cipher algorithm, change the DWORD value data of the Enabled value to 0xffffffff, otherwise change the DWORD value data to 0x0. If you do not configure the Enabled value, the default is enabled.

Disabling this algorithm effectively disallows:
  • SSL_RSA_EXPORT_WITH_RC4_40_MD5
  • TLS_RSA_EXPORT_WITH_RC4_40_MD5
SCHANNEL\Ciphers\RC2 40/128 Subkey:

RC2 40/128

This registry key refers to 40-bit RC2.

To allow this cipher algorithm, change the DWORD value data of the Enabled value to 0xffffffff, otherwise change the DWORD value data to 0x0. If you do not configure the Enabled value, the default is enabled.

Disabling this algorithm effectively disallows:
  • SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
  • TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
SCHANNEL\Ciphers\NULL Subkey:

NULL

This registry key means no encryption. It is turned off by default.

To turn off encryption (disallow all cipher algorithms), change the DWORD value data of the Enabled value to 0xffffffff, otherwise change the DWORD value data to 0x0.

SCHANNEL/Hashes Subkey

The Hashes registry key under the SCHANNEL key is used to control the use of hashing algorithms such as SHA-1 or MD5. The following are valid registry keys under the Hashes key.

SCHANNEL\Hashes\MD5 Subkey:

MD5

To allow this hashing algorithm, change the DWORD value data of the Enabled value to the default value 0xffffffff, otherwise change the DWORD value data to 0x0.

Disabling this algorithm effectively disallows:
  • SSL_RSA_EXPORT_WITH_RC4_40_MD5
  • SSL_RSA_WITH_RC4_128_MD5
  • SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
  • TLS_RSA_EXPORT_WITH_RC4_40_MD5
  • TLS_RSA_WITH_RC4_128_MD5
  • TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
SCHANNEL\Hashes\SHA Subkey:

SHA

This registry key refers to Secure Hash Algorithm (SHA-1), as specified in FIPS 180-1. Its implementation in the Rsabase.dll and Rsaenh.dll files has been validated under the FIPS 140-1 Cryptographic Module Validation Program.

To allow this hashing algorithm, change the DWORD value data of the Enabled value to the default value 0xffffffff, otherwise change the DWORD value data to 0x0.

Disabling this algorithm effectively disallows:
  • SSL_RSA_WITH_RC4_128_SHA
  • SSL_RSA_WITH_DES_CBC_SHA
  • SSL_RSA_WITH_3DES_EDE_CBC_SHA
  • SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA
  • SSL_RSA_EXPORT1024_WITH_RC4_56_SHA
  • TLS_RSA_WITH_RC4_128_SHA
  • TLS_RSA_WITH_DES_CBC_SHA
  • TLS_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
  • TLS_RSA_EXPORT1024_WITH_RC4_56_SHA

SCHANNEL/KeyExchangeAlgorithms Subkey

The KeyExchangeAlgorithms registry key under the SCHANNEL key is used to control the use of key exchange algorithms such as RSA. The following are valid registry keys under the KeyExchangeAlgorithms key.

SCHANNEL\KeyExchangeAlgorithms\PKCS Subkey:

PKCS

This registry key refers to the RSA as the key exchange and authentication algorithms.

To allow RSA, change the DWORD value data of the Enabled value to the default value 0xffffffff, otherwise change the DWORD data to 0x0.

Disabling RSA effectively disallows all RSA-based SSL and TLS cipher suites supported by the Windows NT4 SP6 Microsoft TLS/SSL Security Provider.

FIPS 140-1 Cipher Suites

You may want to use only those SSL 3.0 or TLS 1.0 cipher suites that correspond to FIPS 46-3 or FIPS 46-2 and FIPS 180-1 algorithms provided by the Microsoft Base or Enhanced Cryptographic Provider.

In this article, we refer to them as FIPS 140-1 cipher suites. Specifically, they are:
  • SSL_RSA_WITH_DES_CBC_SHA
  • SSL_RSA_WITH_3DES_EDE_CBC_SHA
  • SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA
  • TLS_RSA_WITH_DES_CBC_SHA
  • TLS_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
To use only FIPS 140-1 cipher suites as defined above, supported by Windows NT 4.0 Service Pack 6 Microsoft TLS/SSL Security Provider with Microsoft Base or Enhanced Cryptographic Provider, configure the DWORD value data of the Enabled value in the following registry keys to 0x0:
  • SCHANNEL\Ciphers\RC4 128/128
  • SCHANNEL\Ciphers\RC2 128/128
  • SCHANNEL\Ciphers\RC4 64/128
  • SCHANNEL\Ciphers\RC4 56/128
  • SCHANNEL\Ciphers\RC2 56/128
  • SCHANNEL\Ciphers\RC4 40/128
  • SCHANNEL\Ciphers\RC2 40/128
  • SCHANNEL\Ciphers\NULL
  • SCHANNEL\Hashes\MD5
and configure the DWORD value data of the Enabled value in the following registry keys to 0xffffffff:
  • SCHANNEL\Ciphers\DES 56/56
  • SCHANNEL\Ciphers\Triple DES 168/168" [not applicable in export version]
  • SCHANNEL\Hashes\SHA
  • SCHANNEL\KeyExchangeAlgorithms\PKCS

Master Secret Computation Using FIPS 140-1 Cipher Suites

The procedures for using the above FIPS 140-1 cipher suites in SSL 3.0 are different from those for using (the above) FIPS 140-1 cipher suites in TLS 1.0.

In SSL 3.0, the following is the definition master_secret computation:

   master_secret =
   MD5(pre_master_secret + SHA('A' + pre_master_secret +
       ClientHello.random + ServerHello.random)) +
   MD5(pre_master_secret + SHA('BB' + pre_master_secret +
       ClientHello.random + ServerHello.random)) +
   MD5(pre_master_secret + SHA('CCC' + pre_master_secret +
       ClientHello.random + ServerHello.random));
In TLS 1.0, the following is the definition master_secret computation:

   master_secret = PRF(pre_master_secret, "master secret",
      ClientHello.random + ServerHello.random)
where:

   PRF(secret, label, seed) = P_MD5(S1, label + seed) XOR
      P_SHA-1(S2, label + seed)
Selecting the Option to Use Only FIPS 140-1 Cipher Suites in TLS 1.0:

Because of the above difference, customers may want to prohibit the use of SSL 3.0, even though the allowable set of cipher suites has been limited to only the subset of FIPS 140-1 cipher suites. In that case, change the DWORD value data of the Enabled value to 0x0 in each of the following registry keys under the Protocols key:
  • SCHANNEL\Protocols\SSL 3.0\Client
  • SCHANNEL\Protocols\SSL 3.0\Server
WARNING: The Enabled value data in these registry keys under the Protocols key take precedence over the grbitEnabledProtocols value defined in the SCHANNEL_CRED structure containing the data for an Schannel credential. The default Enabled value data is 0xffffffff.

Example Registry Files

Two examples of registry file content for purposes of configuration, Export.reg and Non-export.reg, are provided in this section of the article.

In a computer running Windows NT 4.0 Service Pack 6 with the exportable Rasbase.dll and Schannel.dll files, run Export.reg to ensure that only TLS 1.0 FIPS cipher suites are used by the computer.

In a computer running Windows NT 4.0 Service Pack 6 that includes the non-exportable Rasenh.dll and Schannel.dll files, run Non-export.reg to ensure that only TLS 1.0 FIPS cipher suites are used by the computer.

For the Schannel.dll file to recognize any changes under the SCHANNEL registry key, you must restart the computer.

To return the registry settings to default, delete the SCHANNEL registry key and everything under it. If these registry keys are not present, the Schannel.dll rebuilds the keys when you restart the computer. 

------------------"export.reg"------------------------------------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Client]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Client]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
"Enabled"=dword:ffffffff
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"Enabled"=dword:ffffffff

------------------"export.reg"------------------------------------------
------------------"non-export.reg"--------------------------------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Client]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Client]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
"Enabled"=dword:ffffffff
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"Enabled"=dword:ffffffff

------------------"non-export.reg"--------------------------------------
Modification Type:MajorLast Reviewed:12/22/2004
Keywords:kbenv kbinfo KB245030
©2004 Microsoft Corporation. All rights reserved.