Host Hardening
To ensure secure operation of Archer, the underlying components of the host must be hardened so that the server functions properly and opportunities for vulnerabilities are removed.
Archer recommends hardening the host system under it to only allow TLS 1.2 on all Archer supported clients and servers.
- Make sure that SQL servers, Web Services, and clients have the latest service packs using TLS 1.2.
- Make sure that all security updates are applied before additional hardening is performed on all underlying components, including, but not limited to, the Operating System, SQL, and IIS.
On this page
Recommendations for TLS/SSL cipher hardening
Once all underlying components are up-to-date, TLS/SSL cipher hardening can be applied. A cipher suite is a set of algorithms that help secure a network connection using Transport Layer Security (TLS). Cipher hardening prevents known cipher attacks in TLS/SSL (for example, Sweet32, BEAST, POODLE, or ROBOT). Cipher hardening also ensures that data is kept secure and encrypted in transit, per industry best practices. To ensure encryption configuration is secure for all Archer communication, the apply the changes below to both Server and Client communications. As such, you must update these settings on your entire environment uniformly otherwise communication errors may occur.
Configuration changes
Note: For the registry changes below, many of these registry paths will not exist by default. You will need to create the registry paths.
Disable Multi-Protocol Unified Hello
|
Registry Path |
KeyName | Property Type | Value |
|---|---|---|---|
|
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server |
Enabled |
DWord |
0 |
|
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server |
DisabledByDefault |
DWord |
1 |
|
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Client |
Enabled |
DWord |
0 |
|
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Client |
DisabledByDefault |
DWord |
1 |
Disable PCT 1.0
|
Registry Path |
KeyName | Property Type | Value |
|---|---|---|---|
|
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server |
Enabled |
DWord |
0 |
|
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server |
DisabledByDefault |
DWord |
1 |
|
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Client |
Enabled |
DWord |
0 |
|
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Client |
DisabledByDefault |
DWord |
1 |
Disable SSL 2.0
|
Registry Path |
KeyName | Property Type | Value |
|---|---|---|---|
|
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server |
Enabled |
DWord |
0 |
|
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server |
DisabledByDefault |
DWord |
1 |
|
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client |
Enabled |
DWord |
0 |
|
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client |
DisabledByDefault |
DWord |
1 |
Disable SSL 3.0
|
Registry Path |
KeyName | Property Type | Value |
|---|---|---|---|
|
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server |
Enabled |
DWord |
0 |
|
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server |
DisabledByDefault |
DWord |
1 |
|
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client |
Enabled |
DWord |
0 |
|
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client |
DisabledByDefault |
DWord |
1 |
Note: If you disable SSL 3.0, you may lock out some users still using Windows XP with IE 6 or IE 7. Without SSL 3.0 enabled, there is no protocol available for those users to fall back. Safer shopping certifications may require that you disable SSLv3.
Disable TLS 1.0
|
Registry Path |
KeyName | Property Type | Value |
|---|---|---|---|
|
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server |
Enabled |
DWord |
0 |
|
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server |
DisabledByDefault |
DWord |
1 |
|
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client |
Enabled |
DWord |
0 |
|
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client |
DisabledByDefault |
DWord |
1 |
Disable TLS 1.1
|
Registry Path |
KeyName | Property Type | Value |
|---|---|---|---|
|
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server |
Enabled |
DWord |
0 |
|
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server |
DisabledByDefault |
DWord |
1 |
|
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client |
Enabled |
DWord |
0 |
|
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client |
DisabledByDefault |
DWord |
1 |
Enable TLS 1.2
|
Registry Path |
KeyName | Property Type | Value |
|---|---|---|---|
|
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server |
Enabled |
DWord |
0xffffffff |
|
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server |
DisabledByDefault |
DWord |
0 |
|
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client |
Enabled |
DWord |
0xffffffff |
|
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client |
DisabledByDefault |
DWord |
0 |
Disable insecure ciphers
|
Registry Path |
KeyName | Property Type | Value |
|---|---|---|---|
|
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56 |
Enabled |
DWord |
0 |
|
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL |
Enabled |
DWord |
0 |
|
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128 |
Enabled |
DWord |
0 |
|
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128 |
Enabled |
DWord |
0 |
|
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128 |
Enabled |
DWord |
0 |
|
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128 |
Enabled |
DWord |
0 |
|
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128 |
Enabled |
DWord |
0 |
|
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128 |
Enabled |
DWord |
0 |
|
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128 |
Enabled |
DWord |
0 |
|
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168 |
Enabled |
DWord |
0 |
Enable secure ciphers
|
Registry Path |
KeyName | Property Type | Value |
|---|---|---|---|
|
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 128/128 |
Enabled |
DWord |
0xffffffff |
|
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 256/256 |
Enabled |
DWord |
0xffffffff |
Disable insecure hashing algorithms
|
Registry Path |
KeyName | Property Type | Value |
|---|---|---|---|
|
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5 |
Enabled |
DWord |
0 |
Enable secure hashing algorithms
|
Registry Path |
KeyName | Property Type | Value |
|---|---|---|---|
|
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA |
Enabled |
DWord |
0xffffffff |
|
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA256 |
Enabled |
DWord |
0xffffffff |
|
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA384 |
Enabled |
DWord |
0xffffffff |
|
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA512 |
Enabled |
DWord |
0xffffffff |
Disable insecure key exchange algorithms
|
Registry Path |
KeyName | Property Type | Value |
|---|---|---|---|
|
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman |
Enabled |
DWord |
0 |
Enable secure key exchange algorithms
|
Registry Path |
KeyName | Property Type | Value |
|---|---|---|---|
|
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\ECDH |
Enabled |
DWord |
0xffffffff |
|
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS |
Enabled |
DWord |
0xffffffff |
Configure cipher suite order for Strength-Preference and Perfect-Forward Secrecy
|
Registry Path |
KeyName | Property Type | Value |
|---|---|---|---|
|
HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002 |
Functions |
String |
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA |
Enforce TLS 1.2 for .NET
|
Registry Path |
KeyName | Property Type | Value |
|---|---|---|---|
|
HKLM:\SOFTWARE\Microsoft.NETFramework\v2.0.50727 |
SystemDefaultTlsVersions |
DWord |
1 |
|
HKLM:\SOFTWARE\Microsoft.NETFramework\v2.0.50727 |
SchUseStrongCrypto |
DWord |
1 |
|
HKLM:\SOFTWARE\Microsoft.NETFramework\v4.0.30319 |
SystemDefaultTlsVersions |
DWord |
1 |
|
HKLM:\SOFTWARE\Microsoft.NETFramework\v4.0.30319 |
SchUseStrongCrypto |
DWord |
1 |
|
HKLM:\SOFTWARE\Wow6432Node\Microsoft.NETFramework\v2.0.50727 |
SystemDefaultTlsVersions |
DWord |
1 |
|
HKLM:\SOFTWARE\Wow6432Node\Microsoft.NETFramework\v2.0.50727 |
SchUseStrongCrypto |
DWord |
1 |
|
HKLM:\SOFTWARE\Wow6432Node\Microsoft.NETFramework\v4.0.30319 |
SystemDefaultTlsVersions |
DWord |
1 |
|
HKLM:\SOFTWARE\Wow6432Node\Microsoft.NETFramework\v4.0.30319 |
SchUseStrongCrypto |
DWord |
1 |
Set TLS 1.2 as default for outbound communications
|
Registry Path |
KeyName | Property Type | Value |
|---|---|---|---|
|
HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
SecureProtocols |
DWord |
2048 |
|
HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings |
SecureProtocols |
DWord |
2048 |
Supported clients
|
Client |
TLS Version |
|---|---|
|
Android 4.4.2 |
TLS 1.2 |
|
Android 5.0.0 |
TLS 1.2 |
|
Android 6.0 |
TLS 1.2 > http/1.1 |
|
Android 7.0 |
TLS 1.2 > h2 |
|
Android 8.0 |
TLS 1.2 > h2 |
|
Android 8.1 |
TLS 1.2 > h2 |
|
Android 9.0 |
TLS 1.2 > h2 |
|
BingPreview Jan 2015 |
TLS 1.2 |
|
Chrome 49 / XP SP3 |
TLS 1.2 > h2 |
|
Chrome 69 / Windows 7 R |
TLS 1.2 > h2 |
|
Chrome 70 / Windows 10 |
TLS 1.2 > h2 |
|
Chrome 80 / Windows 10 R |
TLS 1.2 > h2 |
|
Firefox 31.3.0 ESR / Windows 7 |
TLS 1.2 |
|
Firefox 47 / Windows 7 R |
TLS 1.2 > h2 |
|
Firefox 49 / XP SP3 |
TLS 1.2 > h2 |
|
Firefox 62 / Windows 7 R |
TLS 1.2 > h2 |
|
Firefox 73 / Windows 10 R |
TLS 1.2 > h2 |
|
Googlebot Feb 2018 |
TLS 1.2 |
|
IE 11 / Windows 10 R |
TLS 1.2 > h2 |
|
Edge 15 / Windows 10 R |
TLS 1.2 > h2 |
|
Edge 16 / Windows 10 R |
TLS 1.2 > h2 |
|
Edge 18 / Windows 10 R |
TLS 1.2 > h2 |
|
Edge 13 / Windows Phone 10 R |
TLS 1.2 > h2 |
|
Java 8u161 |
TLS 1.2 |
|
Java 11.0.3 |
TLS 1.2 |
|
Java 12.0.1 |
TLS 1.2 |
|
OpenSSL 1.0.1l R |
TLS 1.2 |
|
OpenSSL 1.0.2s R |
TLS 1.2 |
|
OpenSSL 1.1.0k R |
TLS 1.2 |
|
OpenSSL 1.1.1c R |
TLS 1.2 |
|
Safari 9 / iOS 9 R |
TLS 1.2 > h2 |
|
Safari 9 / OS X 10.11 R |
TLS 1.2 > h2 |
|
Safari 10 / iOS 10 R |
TLS 1.2 > h2 |
|
Safari 10 / OS X 10.12 R |
TLS 1.2 > h2 |
|
Safari 12.1.2 / MacOS 10.14.6 Beta R |
TLS 1.2 > h2 |
|
Safari 12.1.1 / iOS 12.3.1 R |
TLS 1.2 > h2 |
|
Apple ATS 9 / iOS 9 R |
TLS 1.2 > h2 |
|
Yahoo Slurp Jan 2015 |
TLS 1.2 |
|
YandexBot Jan 2015 |
TLS 1.2 |
Note: You can achieve additional security by removing the CBC mode ciphers listed in the section “Configure Cipher Suite Order for Strength-Preference and Perfect-Forward Secrecy." However, the following clients would no longer be supported.
|
Client |
TLS Version | Cipher Suite |
|---|---|---|
|
IE 11 / Windows 7 R |
TLS 1.2 |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
|
IE 11 / Windows 8.1 R |
TLS 1.2 > http/1.1 |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
|
IE 11 / Windows Phone 8.1 R |
TLS 1.2 > http/1.1 |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
|
IE 11 / Windows Phone 8.1 Update R |
TLS 1.2 > http/1.1 |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
|
Safari 6 / iOS 6.0.1 |
TLS 1.2 |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
|
Safari 7 / iOS 7.1 R |
TLS 1.2 |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
|
Safari 7 / OS X 10.9 R |
TLS 1.2 |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
|
Safari 8 / iOS 8.4 R |
TLS 1.2 |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
|
Safari 8 / OS X 10.10 R |
TLS 1.2 |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
Verifying cipher configuration
You can use various tools to verify the Cipher Suite hardening that you have configured. Cipher Suite hardening may lead to limited connectivity, as older clients cannot connect to servers with strong security requirements. Some tools will provide further details on these limitations.
For public facing servers, it is recommended to test using the Qualys SSL Labs test: SSL Server Test (Powered by Qualys SSL Labs).
For private servers, it is recommended to test using TestSSL: /bin/bash based SSL/TLS tester: testssl.sh.
