V-225238
CAT IIUpdate and configure the .NET Framework to support TLS.
- Ships Affected
- 2
- Total Findings
- 13
- Open
- 10
- Closed
- 3
Check Text
In older Windows systems (Windows Server 2012 or earlier), TLS 1.2 must be enabled systemwide by setting "SchUseStrongCrypto".
SystemDefaultTlsVersions is a configuration switch in .NET Framework (starting from 4.6) that allows the application to use the default TLS version supported by the underlying Windows operating system instead of hardcoding a specific TLS version (like TLS 1.2).
Check Registry:
Use regedit to review the following Windows registry keys:
For 32-bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\
For 64 bit systems:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\
1. If the "SchUseStrongCrypto" value name does not exist, or is not a REG_DWORD type set to "1", this is a finding.
2. For .NET Framework >4.6, use the default TLS version supported by the underlying Windows operating system.
If the "SystemDefaultTlsVersions" value name does not exist, or is not a REG_DWORD type set to "1", this is a finding.
Note: The SchUseStrongCrypto setting allows .NET to use TLS 1.1 and TLS 1.2. The SystemDefaultTlsVersions setting allows .NET to use the OS configuration.
Fix Text
1. SchUseStrongCrypto enabled:
Use regedit to access the following registry key.
For 32-bit systems:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\
For 64-bit systems:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\
Modify or create the following Windows registry value: SchUseStrongCrypto.
Set SchUseStrongCrypto to a REG_DWORD value of "1".
2. SystemDefaultTlsVersions enabled (.NET Framework >4.6):
For 64-bit Windows, create a .reg file with the following content and apply it:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
3. Restart the system for changes to take effect.
STIG Reference
- STIG
- Microsoft DotNet Framework 4.0 Security Technical Implementation Guide
- Version
- 2
- Release
- 8
- Rule ID
- SV-225238r1069480_rule
All Occurrences
This vulnerability appears on 2 ship(s)
| Ship | Hull # | Source File | Status | Assigned To | Scan Date | Actions |
|---|---|---|---|---|---|---|
| LAB BASELINES | BASELINE | SCHR-P3-DP-001_DotNET4_V2R7_20260305-132722.cklb | Unassigned | 2026-03-12T15:38:14.388995 | View in Context | |
| USNS MONTFORD POINT | T-ESD-1 | MONT-SW-89134_DotNET4_V2R7_20251217-201000.ckl | Unassigned | 2026-03-04T15:25:41.864254 | View in Context | |
| USNS MONTFORD POINT | T-ESD-1 | MONT-SW-89108_DotNET4_V2R7_20251217-202821.ckl | Unassigned | 2026-03-04T15:25:15.828600 | View in Context | |
| USNS MONTFORD POINT | T-ESD-1 | _Reviewed/MONT-AP-002/Checklist/MONT-AP-002_DotNET4_V2R7_20251023-144010.ckl | Unassigned | 2026-01-14T12:57:42.156893 | View in Context | |
| USNS MONTFORD POINT | T-ESD-1 | _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_DotNET4_V2R7_20251023-143746.ckl | Unassigned | 2026-01-14T12:57:39.853926 | View in Context | |
| USNS MONTFORD POINT | T-ESD-1 | _Reviewed/MONT-DB-002/Checklist/MONT-DB-002_DotNET4_V2R7_20251023-143930.ckl | Unassigned | 2026-01-14T12:57:38.504147 | View in Context | |
| USNS MONTFORD POINT | T-ESD-1 | _Reviewed/MONT-DC-003/Checklist/MONT-DC-003_DotNET4_V2R7_20251023-171946.ckl | Unassigned | 2026-01-14T12:57:36.663331 | View in Context | |
| USNS MONTFORD POINT | T-ESD-1 | _Reviewed/MONT-DP-001/Checklist/MONT-DP-001_DotNET4_V2R7_20251023-143731.ckl | Unassigned | 2026-01-14T12:57:34.683670 | View in Context | |
| USNS MONTFORD POINT | T-ESD-1 | _Reviewed/MONT-MB-002/Checklist/MONT-MB-002_DotNET4_V2R7_20251023-152339.ckl | Unassigned | 2026-01-14T12:57:32.355929 | View in Context | |
| USNS MONTFORD POINT | T-ESD-1 | _Reviewed/MONT-VSF-003/Checklist/MONT-VSF-003_DotNET4_V2R7_20251023-143732.ckl | Unassigned | 2026-01-14T12:57:30.918773 | View in Context | |
| USNS MONTFORD POINT | T-ESD-1 | _Reviewed/MONT-VSF-004/Checklist/MONT-VSF-004_DotNET4_V2R7_20251023-143711.ckl | Unassigned | 2026-01-14T12:57:29.485524 | View in Context | |
| USNS MONTFORD POINT | T-ESD-1 | _Reviewed/MONT-WS-92010/Checklist/MONT-WS-92010_DotNET4_V2R7_20251023-141005.ckl | Unassigned | 2026-01-14T12:57:27.786540 | View in Context | |
| USNS MONTFORD POINT | T-ESD-1 | _Reviewed/MONT-WS-92040/Checklist/MONT-WS-92040_DotNET4_V2R7_20251023-142306.ckl | Unassigned | 2026-01-14T12:57:25.530570 | View in Context |