USNS MONTFORD POINT - Findings

Showing 12 of 12 findings (filtered) View Documentation Status (90 tracked)

Vuln ID	Severity	Asset	STIG	Title	Doc Status
V-225238	CAT II	MONT-WS-92040	Microsoft DotNet Framework 4.0 Security ...	Update and configure the .NET Framework to support...	Documented Pending Review
Check Text In older Windows systems (Windows Server 2012 or earlier), TLS 1.2 must be enabled systemwide by setting "SchUseStrongCrypto". SystemDefaultTlsVersions is a configuration switch in .NET Framework (starting from 4.6) that allows the application to use the default TLS version supported by the underlying Windows operating system instead of hardcoding a specific TLS version (like TLS 1.2). Check Registry: Use regedit to review the following Windows registry keys: For 32-bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\ For 64 bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\ HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\ 1. If the "SchUseStrongCrypto" value name does not exist, or is not a REG_DWORD type set to "1", this is a finding. 2. For .NET Framework >4.6, use the default TLS version supported by the underlying Windows operating system. If the "SystemDefaultTlsVersions" value name does not exist, or is not a REG_DWORD type set to "1", this is a finding. Note: The SchUseStrongCrypto setting allows .NET to use TLS 1.1 and TLS 1.2. The SystemDefaultTlsVersions setting allows .NET to use the OS configuration. Fix Text 1. SchUseStrongCrypto enabled: Use regedit to access the following registry key. For 32-bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\ For 64-bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\ HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\ Modify or create the following Windows registry value: SchUseStrongCrypto. Set SchUseStrongCrypto to a REG_DWORD value of "1". 2. SystemDefaultTlsVersions enabled (.NET Framework >4.6): For 64-bit Windows, create a .reg file with the following content and apply it: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] "SystemDefaultTlsVersions"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319] "SystemDefaultTlsVersions"=dword:00000001 3. Restart the system for changes to take effect. Finding Details Evaluate-STIG 1.2507.5 (Scan-NETFramework4_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 23C37571322EA7216F197978D4B3FF97743E9C71 ~~~~~ .NET Framework 4 version is 4.6 or later. Registry Path: HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 Value Name: SystemDefaultTlsVersions Value: 0x00000001 (1) Type: REG_DWORD Registry Path: HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319 Value Name: SystemDefaultTlsVersions Value: 0x00000001 (1) Type: REG_DWORD Source: _Reviewed/MONT-WS-92040/Checklist/MONT-WS-92040_DotNET4_V2R7_20251023-142306.ckl Scan Date: 2026-01-14T12:57:25.530570 Technology Area: Windows Operating System
V-225238	CAT II	MONT-WS-92010	Microsoft DotNet Framework 4.0 Security ...	Update and configure the .NET Framework to support...	Documented Pending Review
Check Text In older Windows systems (Windows Server 2012 or earlier), TLS 1.2 must be enabled systemwide by setting "SchUseStrongCrypto". SystemDefaultTlsVersions is a configuration switch in .NET Framework (starting from 4.6) that allows the application to use the default TLS version supported by the underlying Windows operating system instead of hardcoding a specific TLS version (like TLS 1.2). Check Registry: Use regedit to review the following Windows registry keys: For 32-bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\ For 64 bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\ HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\ 1. If the "SchUseStrongCrypto" value name does not exist, or is not a REG_DWORD type set to "1", this is a finding. 2. For .NET Framework >4.6, use the default TLS version supported by the underlying Windows operating system. If the "SystemDefaultTlsVersions" value name does not exist, or is not a REG_DWORD type set to "1", this is a finding. Note: The SchUseStrongCrypto setting allows .NET to use TLS 1.1 and TLS 1.2. The SystemDefaultTlsVersions setting allows .NET to use the OS configuration. Fix Text 1. SchUseStrongCrypto enabled: Use regedit to access the following registry key. For 32-bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\ For 64-bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\ HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\ Modify or create the following Windows registry value: SchUseStrongCrypto. Set SchUseStrongCrypto to a REG_DWORD value of "1". 2. SystemDefaultTlsVersions enabled (.NET Framework >4.6): For 64-bit Windows, create a .reg file with the following content and apply it: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] "SystemDefaultTlsVersions"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319] "SystemDefaultTlsVersions"=dword:00000001 3. Restart the system for changes to take effect. Finding Details Evaluate-STIG 1.2507.5 (Scan-NETFramework4_Checks) found this to be OPEN on 10/23/2025 ResultHash: CA82A8E9922E6F4DCDB8A91E95B4D1BEBA806917 ~~~~~ .NET Framework 4 version is 4.6 or later. Registry Path: HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 Value Name: SystemDefaultTlsVersions (Not found) Registry Path: HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319 Value Name: SystemDefaultTlsVersions (Not found) Source: _Reviewed/MONT-WS-92010/Checklist/MONT-WS-92010_DotNET4_V2R7_20251023-141005.ckl Scan Date: 2026-01-14T12:57:27.786540 Technology Area: Windows Operating System
V-225238	CAT II	MONT-VSF-004	Microsoft DotNet Framework 4.0 Security ...	Update and configure the .NET Framework to support...	Documented Pending Review
Check Text In older Windows systems (Windows Server 2012 or earlier), TLS 1.2 must be enabled systemwide by setting "SchUseStrongCrypto". SystemDefaultTlsVersions is a configuration switch in .NET Framework (starting from 4.6) that allows the application to use the default TLS version supported by the underlying Windows operating system instead of hardcoding a specific TLS version (like TLS 1.2). Check Registry: Use regedit to review the following Windows registry keys: For 32-bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\ For 64 bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\ HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\ 1. If the "SchUseStrongCrypto" value name does not exist, or is not a REG_DWORD type set to "1", this is a finding. 2. For .NET Framework >4.6, use the default TLS version supported by the underlying Windows operating system. If the "SystemDefaultTlsVersions" value name does not exist, or is not a REG_DWORD type set to "1", this is a finding. Note: The SchUseStrongCrypto setting allows .NET to use TLS 1.1 and TLS 1.2. The SystemDefaultTlsVersions setting allows .NET to use the OS configuration. Fix Text 1. SchUseStrongCrypto enabled: Use regedit to access the following registry key. For 32-bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\ For 64-bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\ HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\ Modify or create the following Windows registry value: SchUseStrongCrypto. Set SchUseStrongCrypto to a REG_DWORD value of "1". 2. SystemDefaultTlsVersions enabled (.NET Framework >4.6): For 64-bit Windows, create a .reg file with the following content and apply it: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] "SystemDefaultTlsVersions"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319] "SystemDefaultTlsVersions"=dword:00000001 3. Restart the system for changes to take effect. Finding Details Evaluate-STIG 1.2507.5 (Scan-NETFramework4_Checks) found this to be OPEN on 10/23/2025 ResultHash: CA82A8E9922E6F4DCDB8A91E95B4D1BEBA806917 ~~~~~ .NET Framework 4 version is 4.6 or later. Registry Path: HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 Value Name: SystemDefaultTlsVersions (Not found) Registry Path: HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319 Value Name: SystemDefaultTlsVersions (Not found) Source: _Reviewed/MONT-VSF-004/Checklist/MONT-VSF-004_DotNET4_V2R7_20251023-143711.ckl Scan Date: 2026-01-14T12:57:29.485524 Technology Area: Windows Operating System
V-225238	CAT II	MONT-VSF-003	Microsoft DotNet Framework 4.0 Security ...	Update and configure the .NET Framework to support...	Documented Pending Review
Check Text In older Windows systems (Windows Server 2012 or earlier), TLS 1.2 must be enabled systemwide by setting "SchUseStrongCrypto". SystemDefaultTlsVersions is a configuration switch in .NET Framework (starting from 4.6) that allows the application to use the default TLS version supported by the underlying Windows operating system instead of hardcoding a specific TLS version (like TLS 1.2). Check Registry: Use regedit to review the following Windows registry keys: For 32-bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\ For 64 bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\ HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\ 1. If the "SchUseStrongCrypto" value name does not exist, or is not a REG_DWORD type set to "1", this is a finding. 2. For .NET Framework >4.6, use the default TLS version supported by the underlying Windows operating system. If the "SystemDefaultTlsVersions" value name does not exist, or is not a REG_DWORD type set to "1", this is a finding. Note: The SchUseStrongCrypto setting allows .NET to use TLS 1.1 and TLS 1.2. The SystemDefaultTlsVersions setting allows .NET to use the OS configuration. Fix Text 1. SchUseStrongCrypto enabled: Use regedit to access the following registry key. For 32-bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\ For 64-bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\ HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\ Modify or create the following Windows registry value: SchUseStrongCrypto. Set SchUseStrongCrypto to a REG_DWORD value of "1". 2. SystemDefaultTlsVersions enabled (.NET Framework >4.6): For 64-bit Windows, create a .reg file with the following content and apply it: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] "SystemDefaultTlsVersions"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319] "SystemDefaultTlsVersions"=dword:00000001 3. Restart the system for changes to take effect. Finding Details Evaluate-STIG 1.2507.5 (Scan-NETFramework4_Checks) found this to be OPEN on 10/23/2025 ResultHash: CA82A8E9922E6F4DCDB8A91E95B4D1BEBA806917 ~~~~~ .NET Framework 4 version is 4.6 or later. Registry Path: HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 Value Name: SystemDefaultTlsVersions (Not found) Registry Path: HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319 Value Name: SystemDefaultTlsVersions (Not found) Source: _Reviewed/MONT-VSF-003/Checklist/MONT-VSF-003_DotNET4_V2R7_20251023-143732.ckl Scan Date: 2026-01-14T12:57:30.918773 Technology Area: Windows Operating System
V-225238	CAT II	MONT-MB-002	Microsoft DotNet Framework 4.0 Security ...	Update and configure the .NET Framework to support...	Documented Pending Review
Check Text In older Windows systems (Windows Server 2012 or earlier), TLS 1.2 must be enabled systemwide by setting "SchUseStrongCrypto". SystemDefaultTlsVersions is a configuration switch in .NET Framework (starting from 4.6) that allows the application to use the default TLS version supported by the underlying Windows operating system instead of hardcoding a specific TLS version (like TLS 1.2). Check Registry: Use regedit to review the following Windows registry keys: For 32-bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\ For 64 bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\ HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\ 1. If the "SchUseStrongCrypto" value name does not exist, or is not a REG_DWORD type set to "1", this is a finding. 2. For .NET Framework >4.6, use the default TLS version supported by the underlying Windows operating system. If the "SystemDefaultTlsVersions" value name does not exist, or is not a REG_DWORD type set to "1", this is a finding. Note: The SchUseStrongCrypto setting allows .NET to use TLS 1.1 and TLS 1.2. The SystemDefaultTlsVersions setting allows .NET to use the OS configuration. Fix Text 1. SchUseStrongCrypto enabled: Use regedit to access the following registry key. For 32-bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\ For 64-bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\ HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\ Modify or create the following Windows registry value: SchUseStrongCrypto. Set SchUseStrongCrypto to a REG_DWORD value of "1". 2. SystemDefaultTlsVersions enabled (.NET Framework >4.6): For 64-bit Windows, create a .reg file with the following content and apply it: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] "SystemDefaultTlsVersions"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319] "SystemDefaultTlsVersions"=dword:00000001 3. Restart the system for changes to take effect. Finding Details Evaluate-STIG 1.2507.5 (Scan-NETFramework4_Checks) found this to be NOT A FINDING on 10/23/2025 ResultHash: 23C37571322EA7216F197978D4B3FF97743E9C71 ~~~~~ .NET Framework 4 version is 4.6 or later. Registry Path: HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 Value Name: SystemDefaultTlsVersions Value: 0x00000001 (1) Type: REG_DWORD Registry Path: HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319 Value Name: SystemDefaultTlsVersions Value: 0x00000001 (1) Type: REG_DWORD Source: _Reviewed/MONT-MB-002/Checklist/MONT-MB-002_DotNET4_V2R7_20251023-152339.ckl Scan Date: 2026-01-14T12:57:32.355929 Technology Area: Windows Operating System
V-225238	CAT II	MONT-DP-001	Microsoft DotNet Framework 4.0 Security ...	Update and configure the .NET Framework to support...	Documented Pending Review
Check Text In older Windows systems (Windows Server 2012 or earlier), TLS 1.2 must be enabled systemwide by setting "SchUseStrongCrypto". SystemDefaultTlsVersions is a configuration switch in .NET Framework (starting from 4.6) that allows the application to use the default TLS version supported by the underlying Windows operating system instead of hardcoding a specific TLS version (like TLS 1.2). Check Registry: Use regedit to review the following Windows registry keys: For 32-bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\ For 64 bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\ HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\ 1. If the "SchUseStrongCrypto" value name does not exist, or is not a REG_DWORD type set to "1", this is a finding. 2. For .NET Framework >4.6, use the default TLS version supported by the underlying Windows operating system. If the "SystemDefaultTlsVersions" value name does not exist, or is not a REG_DWORD type set to "1", this is a finding. Note: The SchUseStrongCrypto setting allows .NET to use TLS 1.1 and TLS 1.2. The SystemDefaultTlsVersions setting allows .NET to use the OS configuration. Fix Text 1. SchUseStrongCrypto enabled: Use regedit to access the following registry key. For 32-bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\ For 64-bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\ HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\ Modify or create the following Windows registry value: SchUseStrongCrypto. Set SchUseStrongCrypto to a REG_DWORD value of "1". 2. SystemDefaultTlsVersions enabled (.NET Framework >4.6): For 64-bit Windows, create a .reg file with the following content and apply it: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] "SystemDefaultTlsVersions"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319] "SystemDefaultTlsVersions"=dword:00000001 3. Restart the system for changes to take effect. Finding Details Evaluate-STIG 1.2507.5 (Scan-NETFramework4_Checks) found this to be OPEN on 10/23/2025 ResultHash: CA82A8E9922E6F4DCDB8A91E95B4D1BEBA806917 ~~~~~ .NET Framework 4 version is 4.6 or later. Registry Path: HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 Value Name: SystemDefaultTlsVersions (Not found) Registry Path: HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319 Value Name: SystemDefaultTlsVersions (Not found) Source: _Reviewed/MONT-DP-001/Checklist/MONT-DP-001_DotNET4_V2R7_20251023-143731.ckl Scan Date: 2026-01-14T12:57:34.683670 Technology Area: Windows Operating System
V-225238	CAT II	MONT-DC-003	Microsoft DotNet Framework 4.0 Security ...	Update and configure the .NET Framework to support...	Documented Pending Review
Check Text In older Windows systems (Windows Server 2012 or earlier), TLS 1.2 must be enabled systemwide by setting "SchUseStrongCrypto". SystemDefaultTlsVersions is a configuration switch in .NET Framework (starting from 4.6) that allows the application to use the default TLS version supported by the underlying Windows operating system instead of hardcoding a specific TLS version (like TLS 1.2). Check Registry: Use regedit to review the following Windows registry keys: For 32-bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\ For 64 bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\ HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\ 1. If the "SchUseStrongCrypto" value name does not exist, or is not a REG_DWORD type set to "1", this is a finding. 2. For .NET Framework >4.6, use the default TLS version supported by the underlying Windows operating system. If the "SystemDefaultTlsVersions" value name does not exist, or is not a REG_DWORD type set to "1", this is a finding. Note: The SchUseStrongCrypto setting allows .NET to use TLS 1.1 and TLS 1.2. The SystemDefaultTlsVersions setting allows .NET to use the OS configuration. Fix Text 1. SchUseStrongCrypto enabled: Use regedit to access the following registry key. For 32-bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\ For 64-bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\ HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\ Modify or create the following Windows registry value: SchUseStrongCrypto. Set SchUseStrongCrypto to a REG_DWORD value of "1". 2. SystemDefaultTlsVersions enabled (.NET Framework >4.6): For 64-bit Windows, create a .reg file with the following content and apply it: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] "SystemDefaultTlsVersions"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319] "SystemDefaultTlsVersions"=dword:00000001 3. Restart the system for changes to take effect. Finding Details Evaluate-STIG 1.2507.5 (Scan-NETFramework4_Checks) found this to be OPEN on 10/23/2025 ResultHash: CA82A8E9922E6F4DCDB8A91E95B4D1BEBA806917 ~~~~~ .NET Framework 4 version is 4.6 or later. Registry Path: HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 Value Name: SystemDefaultTlsVersions (Not found) Registry Path: HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319 Value Name: SystemDefaultTlsVersions (Not found) Source: _Reviewed/MONT-DC-003/Checklist/MONT-DC-003_DotNET4_V2R7_20251023-171946.ckl Scan Date: 2026-01-14T12:57:36.663331 Technology Area: Windows Operating System
V-225238	CAT II	MONT-DB-002	Microsoft DotNet Framework 4.0 Security ...	Update and configure the .NET Framework to support...	Documented Pending Review
Check Text In older Windows systems (Windows Server 2012 or earlier), TLS 1.2 must be enabled systemwide by setting "SchUseStrongCrypto". SystemDefaultTlsVersions is a configuration switch in .NET Framework (starting from 4.6) that allows the application to use the default TLS version supported by the underlying Windows operating system instead of hardcoding a specific TLS version (like TLS 1.2). Check Registry: Use regedit to review the following Windows registry keys: For 32-bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\ For 64 bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\ HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\ 1. If the "SchUseStrongCrypto" value name does not exist, or is not a REG_DWORD type set to "1", this is a finding. 2. For .NET Framework >4.6, use the default TLS version supported by the underlying Windows operating system. If the "SystemDefaultTlsVersions" value name does not exist, or is not a REG_DWORD type set to "1", this is a finding. Note: The SchUseStrongCrypto setting allows .NET to use TLS 1.1 and TLS 1.2. The SystemDefaultTlsVersions setting allows .NET to use the OS configuration. Fix Text 1. SchUseStrongCrypto enabled: Use regedit to access the following registry key. For 32-bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\ For 64-bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\ HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\ Modify or create the following Windows registry value: SchUseStrongCrypto. Set SchUseStrongCrypto to a REG_DWORD value of "1". 2. SystemDefaultTlsVersions enabled (.NET Framework >4.6): For 64-bit Windows, create a .reg file with the following content and apply it: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] "SystemDefaultTlsVersions"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319] "SystemDefaultTlsVersions"=dword:00000001 3. Restart the system for changes to take effect. Finding Details Evaluate-STIG 1.2507.5 (Scan-NETFramework4_Checks) found this to be OPEN on 10/23/2025 ResultHash: CA82A8E9922E6F4DCDB8A91E95B4D1BEBA806917 ~~~~~ .NET Framework 4 version is 4.6 or later. Registry Path: HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 Value Name: SystemDefaultTlsVersions (Not found) Registry Path: HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319 Value Name: SystemDefaultTlsVersions (Not found) Source: _Reviewed/MONT-DB-002/Checklist/MONT-DB-002_DotNET4_V2R7_20251023-143930.ckl Scan Date: 2026-01-14T12:57:38.504147 Technology Area: Windows Operating System
V-225238	CAT II	MONT-BE-002	Microsoft DotNet Framework 4.0 Security ...	Update and configure the .NET Framework to support...	Documented Pending Review
Check Text In older Windows systems (Windows Server 2012 or earlier), TLS 1.2 must be enabled systemwide by setting "SchUseStrongCrypto". SystemDefaultTlsVersions is a configuration switch in .NET Framework (starting from 4.6) that allows the application to use the default TLS version supported by the underlying Windows operating system instead of hardcoding a specific TLS version (like TLS 1.2). Check Registry: Use regedit to review the following Windows registry keys: For 32-bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\ For 64 bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\ HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\ 1. If the "SchUseStrongCrypto" value name does not exist, or is not a REG_DWORD type set to "1", this is a finding. 2. For .NET Framework >4.6, use the default TLS version supported by the underlying Windows operating system. If the "SystemDefaultTlsVersions" value name does not exist, or is not a REG_DWORD type set to "1", this is a finding. Note: The SchUseStrongCrypto setting allows .NET to use TLS 1.1 and TLS 1.2. The SystemDefaultTlsVersions setting allows .NET to use the OS configuration. Fix Text 1. SchUseStrongCrypto enabled: Use regedit to access the following registry key. For 32-bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\ For 64-bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\ HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\ Modify or create the following Windows registry value: SchUseStrongCrypto. Set SchUseStrongCrypto to a REG_DWORD value of "1". 2. SystemDefaultTlsVersions enabled (.NET Framework >4.6): For 64-bit Windows, create a .reg file with the following content and apply it: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] "SystemDefaultTlsVersions"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319] "SystemDefaultTlsVersions"=dword:00000001 3. Restart the system for changes to take effect. Finding Details Evaluate-STIG 1.2507.5 (Scan-NETFramework4_Checks) found this to be OPEN on 10/23/2025 ResultHash: CA82A8E9922E6F4DCDB8A91E95B4D1BEBA806917 ~~~~~ .NET Framework 4 version is 4.6 or later. Registry Path: HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 Value Name: SystemDefaultTlsVersions (Not found) Registry Path: HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319 Value Name: SystemDefaultTlsVersions (Not found) Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_DotNET4_V2R7_20251023-143746.ckl Scan Date: 2026-01-14T12:57:39.853926 Technology Area: Windows Operating System
V-225238	CAT II	MONT-AP-002	Microsoft DotNet Framework 4.0 Security ...	Update and configure the .NET Framework to support...	Documented Pending Review
Check Text In older Windows systems (Windows Server 2012 or earlier), TLS 1.2 must be enabled systemwide by setting "SchUseStrongCrypto". SystemDefaultTlsVersions is a configuration switch in .NET Framework (starting from 4.6) that allows the application to use the default TLS version supported by the underlying Windows operating system instead of hardcoding a specific TLS version (like TLS 1.2). Check Registry: Use regedit to review the following Windows registry keys: For 32-bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\ For 64 bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\ HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\ 1. If the "SchUseStrongCrypto" value name does not exist, or is not a REG_DWORD type set to "1", this is a finding. 2. For .NET Framework >4.6, use the default TLS version supported by the underlying Windows operating system. If the "SystemDefaultTlsVersions" value name does not exist, or is not a REG_DWORD type set to "1", this is a finding. Note: The SchUseStrongCrypto setting allows .NET to use TLS 1.1 and TLS 1.2. The SystemDefaultTlsVersions setting allows .NET to use the OS configuration. Fix Text 1. SchUseStrongCrypto enabled: Use regedit to access the following registry key. For 32-bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\ For 64-bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\ HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\ Modify or create the following Windows registry value: SchUseStrongCrypto. Set SchUseStrongCrypto to a REG_DWORD value of "1". 2. SystemDefaultTlsVersions enabled (.NET Framework >4.6): For 64-bit Windows, create a .reg file with the following content and apply it: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] "SystemDefaultTlsVersions"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319] "SystemDefaultTlsVersions"=dword:00000001 3. Restart the system for changes to take effect. Finding Details Evaluate-STIG 1.2507.5 (Scan-NETFramework4_Checks) found this to be OPEN on 10/23/2025 ResultHash: CA82A8E9922E6F4DCDB8A91E95B4D1BEBA806917 ~~~~~ .NET Framework 4 version is 4.6 or later. Registry Path: HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 Value Name: SystemDefaultTlsVersions (Not found) Registry Path: HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319 Value Name: SystemDefaultTlsVersions (Not found) Source: _Reviewed/MONT-AP-002/Checklist/MONT-AP-002_DotNET4_V2R7_20251023-144010.ckl Scan Date: 2026-01-14T12:57:42.156893 Technology Area: Windows Operating System
V-225238	CAT II	MONT-SW-89108	Microsoft DotNet Framework 4.0 Security ...	Update and configure the .NET Framework to support...	Documented Pending Review
Check Text In older Windows systems (Windows Server 2012 or earlier), TLS 1.2 must be enabled systemwide by setting "SchUseStrongCrypto". SystemDefaultTlsVersions is a configuration switch in .NET Framework (starting from 4.6) that allows the application to use the default TLS version supported by the underlying Windows operating system instead of hardcoding a specific TLS version (like TLS 1.2). Check Registry: Use regedit to review the following Windows registry keys: For 32-bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\ For 64 bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\ HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\ 1. If the "SchUseStrongCrypto" value name does not exist, or is not a REG_DWORD type set to "1", this is a finding. 2. For .NET Framework >4.6, use the default TLS version supported by the underlying Windows operating system. If the "SystemDefaultTlsVersions" value name does not exist, or is not a REG_DWORD type set to "1", this is a finding. Note: The SchUseStrongCrypto setting allows .NET to use TLS 1.1 and TLS 1.2. The SystemDefaultTlsVersions setting allows .NET to use the OS configuration. Fix Text 1. SchUseStrongCrypto enabled: Use regedit to access the following registry key. For 32-bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\ For 64-bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\ HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\ Modify or create the following Windows registry value: SchUseStrongCrypto. Set SchUseStrongCrypto to a REG_DWORD value of "1". 2. SystemDefaultTlsVersions enabled (.NET Framework >4.6): For 64-bit Windows, create a .reg file with the following content and apply it: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] "SystemDefaultTlsVersions"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319] "SystemDefaultTlsVersions"=dword:00000001 3. Restart the system for changes to take effect. Finding Details Evaluate-STIG 1.2510.0 (Scan-NETFramework4_Checks) found this to be OPEN on 12/17/2025 ResultHash: CA82A8E9922E6F4DCDB8A91E95B4D1BEBA806917 ~~~~~ .NET Framework 4 version is 4.6 or later. Registry Path: HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 Value Name: SystemDefaultTlsVersions (Not found) Registry Path: HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319 Value Name: SystemDefaultTlsVersions (Not found) Source: MONT-SW-89108_DotNET4_V2R7_20251217-202821.ckl Scan Date: 2026-03-04T15:25:15.828600 Technology Area: Windows Operating System
V-225238	CAT II	MONT-SW-89134	Microsoft DotNet Framework 4.0 Security ...	Update and configure the .NET Framework to support...	Documented Pending Review
Check Text In older Windows systems (Windows Server 2012 or earlier), TLS 1.2 must be enabled systemwide by setting "SchUseStrongCrypto". SystemDefaultTlsVersions is a configuration switch in .NET Framework (starting from 4.6) that allows the application to use the default TLS version supported by the underlying Windows operating system instead of hardcoding a specific TLS version (like TLS 1.2). Check Registry: Use regedit to review the following Windows registry keys: For 32-bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\ For 64 bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\ HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\ 1. If the "SchUseStrongCrypto" value name does not exist, or is not a REG_DWORD type set to "1", this is a finding. 2. For .NET Framework >4.6, use the default TLS version supported by the underlying Windows operating system. If the "SystemDefaultTlsVersions" value name does not exist, or is not a REG_DWORD type set to "1", this is a finding. Note: The SchUseStrongCrypto setting allows .NET to use TLS 1.1 and TLS 1.2. The SystemDefaultTlsVersions setting allows .NET to use the OS configuration. Fix Text 1. SchUseStrongCrypto enabled: Use regedit to access the following registry key. For 32-bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\ For 64-bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\ HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\ Modify or create the following Windows registry value: SchUseStrongCrypto. Set SchUseStrongCrypto to a REG_DWORD value of "1". 2. SystemDefaultTlsVersions enabled (.NET Framework >4.6): For 64-bit Windows, create a .reg file with the following content and apply it: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] "SystemDefaultTlsVersions"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319] "SystemDefaultTlsVersions"=dword:00000001 3. Restart the system for changes to take effect. Finding Details Evaluate-STIG 1.2510.0 (Scan-NETFramework4_Checks) found this to be OPEN on 12/17/2025 ResultHash: CA82A8E9922E6F4DCDB8A91E95B4D1BEBA806917 ~~~~~ .NET Framework 4 version is 4.6 or later. Registry Path: HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 Value Name: SystemDefaultTlsVersions (Not found) Registry Path: HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319 Value Name: SystemDefaultTlsVersions (Not found) Source: MONT-SW-89134_DotNET4_V2R7_20251217-201000.ckl Scan Date: 2026-03-04T15:25:41.864254 Technology Area: Windows Operating System

Check Text

Fix Text

Finding Details

Check Text

Fix Text

Finding Details

Check Text

Fix Text

Finding Details

Check Text

Fix Text

Finding Details

Check Text

Fix Text

Finding Details

Check Text

Fix Text

Finding Details

Check Text

Fix Text

Finding Details

Check Text

Fix Text

Finding Details

Check Text

Fix Text

Finding Details

Check Text

Fix Text

Finding Details

Check Text

Fix Text

Finding Details

Check Text

Fix Text

Finding Details