TLS Security | Harden System Security¶
Changes made by this category only affect things that use Schannel SSP: that includes IIS web server, built-in inbox Windows apps and some other programs supplied by Microsoft, including Windows network communications, but not 3rd party software that use portable stacks like Java, nodejs, python or php.
If you want to read more: Demystifying Schannel
Disables TLS 1 and TLS 1.1 security protocols that only exist for backward compatibility. All modern software should and do use TLS 1.2andTLS 1.3.
CSP CSP
- Disables MD5 Hashing Algorithm that is only available for backward compatibility
- Disables the following weak ciphers that are only available for backward compatibility:
"DES 56-bit","RC2 40-bit","RC2 56-bit","RC2 128-bit","RC4 40-bit","RC4 56-bit","RC4 64-bit","RC4 128-bit","3DES 168-bit (Triple DES 168)"
Configures the TLS to only use the following secure cipher suites and in this exact order: CSP
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_256_GCM_SHA384
TLS_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
-
Use the TLS for BattleNet sub-category if you have the BattleNet game client installed on your system. This client utilizes the TLS_RSA_WITH_AES_256_CBC_SHAcipher suite to establish connections with its servers. Since this cipher suite is less secure, it is excluded from the secure cipher-suites list by default. However, enabling this sub-category will include the required cipher suite, allowing you to use BattleNet without interruptions.
- Configures TLS ECC Curves to use the following prioritized Curves order: CSP
- By default, in Windows, the order is this: