In the talk we introduced a new attack surface to remotely attack IIS and SQL Server with vulnerabilities in JET based on the SQL injection. https://i.
Tag: Internet Information Services
How to Configure SSL on XenDesktop Controllers to Secure XML Traffic
From XenDesktop Controller
IIS Installed on XenDesktop Controller
In this scenario, the XenDesktop controller has IIS installed and functioning to serve Web Interface or other web services. To complete this setup, you must request a Server Certificate and install it on IIS.
There are two ways to generate Server Certificates on IIS 7.x:
-
Create Certificate Request: This generates a CSR file to be submitted to a third party Certification Authority (CA) or to your internal Microsoft CA. For more information, refer to Microsoft TechNet article – Request an Internet Server Certificate (IIS 7)
-
Create Domain Certificate: This generates a CSR file and submits it to your domain registered Microsoft CA server. For more information, refer to the Microsoft TechNet article – Create a Domain Server Certificate on IIS 7.
After the Server Certificate is installed on IIS, ensure to set the Bindings to enable HTTPS on IIS by completing the following procedure:
-
Select the IIS site that you want to enable HTTPS and select Bindings under Edit Site.
-
Click Add, select Type as https, port number as 443, select the SSL Certificate that you installed and click OK.
-
Open Registry Editor on XenDesktop Controller and look for the following key name.
HKEY_LOCAL_MACHINESOFTWARECitrixDesktopServer.Caution! Refer to the Disclaimer at the end of this article before using Registry Editor.
-
Verify that XmlServicesSslPort registry key exists with the correct value for SSL port. By default, it is set to 443.
-
Change the XML service port.
You can do this using PowerShell by running the following command:
BrokerService –WiSslPort <port number>
Note: If you decide to change the XML service port number on XenDesktop Controller, ensure to update the IIS port number as well under Bindings to match the new value.
IIS is not Installed on XenDesktop Controller
In this scenario, the XenDesktop Controller does not have IIS installed. As a result, there are a few ways to obtain a Server Certificate for the Controller:
-
Export an existing Server Certificate from another server in PFX format. When exporting the Server Certificate, ensure to select the private key as well.
-
You can use the Certreq utility from Microsoft to generate a Certificate Signing Request and submit it to a third party CA or your internal Microsoft CA server. For more information, refer to the Microsoft TechNet article – Certreq.exe Syntax.
Note: Ensure to always import the PFX server certificates under the XenDesktop controller Local Computer certificate store and not My user account.
After the Server Certificate is installed on XenDesktop Controller, register the SSL certificate for HTTPS on the server. To accomplish this, Windows 2008 has a built-in utility called netsh that allows you to bind SSL certificates to a port configuration. For more information, refer to the Microsoft MSDN article – How to: Configure a Port with an SSL Certificate
The following is the command that you must use:
netsh http add sslcert ipport=0.0.0.0:<port Number> certhash=<hash number> appid={XenDesktop Broker Service GUID}
To obtain the certificate hash of a Server Certificate, open the Registry Editor, and open the following key name location and search for the Server Certificate that you want to use:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftSystemCertificatesMYCertificates
An alternative to obtain this certificate hash
- Open the Server Certificate and under the Details tab, select Thumprint:
-
Obtain the GUID of the XenDesktop controller Citrix Broker Service.
-
Open Registry Editor and select Find.
-
Search for Broker Service words. By default, the location is in HKEY_CLASSES_ROOTInstallerProducts (see the following example):
-
Now that you have the certificate hash and Citrix Broker Service GUID, you can run the netsh command to bind the SSL certificate to port 443 and Citrix Broker Service. The following example is based on the GUID and certificate hash values taken from the preceding screenshots:
Here is command to get the GUID
Run the below command in Elevated command prompt on the DDC
wmic product where “Name like ‘Citrix Broker Service'” get Name,identifyingnumber
IdentifyingNumberC: >netsh http add sslcert ipport=10.12.37.231:443 certhash=298B8AB50322A5A601A57D4976875191D85A2949 appid={13C9D851-5D94-7C44-4A2B-218F89A28DC7}
Note: For GUID, ensure to include dashes (-). Otherwise, the command cannot run successfully.
A successful bind looks as displayed in the following screen shot:
From the Web Interface server
Configure the XenApp Web Site or XenApp Services Site to use HTTPS and 443 as Transport Type and XML Service port respectively under Server Farms.
Note: To have a successful SSL connection to the XenDesktop 5 Controller, ensure that Web Interface has installed the Trusted Root certificate (under Local Computer certificate store).
Related:
Error: “You cannot add apps at this time” on Receiver StoreFront
Cause 1
StoreFront server is unable to resolve the name of the XML server(s) listed under Manage Server Farms.
The following error message is recorded on StoreFront server under Event Viewer > Applications and Security logs > Citrix Delivery Services:
Log Name: Citrix Delivery ServicesSource: WebApplicationDate: <Date>Event ID: 0Task Category: (12346)Level: ErrorKeywords: ClassicUser: N/AComputer: ftlvstorefront.amc.ctxDescription:
The server name ftlvxa.amc.ctxcannot be resolved. The specified Citrix XML Service could not be contacted and has been temporarily removed from the list of active services.
Cause 2
StoreFront server is unable to contact the XML server(s) using the specified XML port number under Manage Server Farms.
The following error message is recorded on StoreFront server under Event Viewer > Applications and Security logs > Citrix Delivery Services:
Log Name: Citrix Delivery ServicesSource: WebApplicationDate: <Date>Event ID: 0Task Category: (12346)Level: ErrorKeywords: ClassicUser: N/AComputer: ftlvstorefront.amc.ctxDescription:
An error occurred while attempting to connect to the server ftlvxa45.amc.ctx on port 81. Verify that the Citrix XML Service is running and is using the correct port. If the XML Service is configured to share ports with Microsoft Internet Information Services (IIS), verify that IIS is running. This message was reported from the XML Service at address. The specified Citrix XML Service could not be contacted and has been temporarily removed from the list of active services.
Cause 3
If using HTTPS or SSL Relay as the transport type, StoreFront Services server is unable to contact the XML server(s) using Secure Socket Layer (SSL).
Example of SSL Relay configuration
The following error message is recorded on StoreFront server under Event Viewer > Applications and Security logs > Citrix Delivery Services:
Log Name: Citrix Delivery ServicesSource: WebApplicationDate: <Date>Event ID: 0Task Category: (12346)Level: ErrorKeywords: ClassicUser: N/AComputer: ftlvstorefront.amc.ctxDescription:
An SSL connection could not be established: You have not chosen to trust the issuer of the server’s security certificate, amc-FTLVAMCDC-CA. This message was reported from the Citrix XML Service at address. The specified Citrix XML Service could not be contacted and has been temporarily removed from the list of active services.
Cause 4
Third-party network monitoring solutions (for example: firewalls, Intrusion Detection Systems (IDS), antivirus) might be blocking the XML traffic between StoreFront Services and the XML server(s).
Related:
Error: “Cannot Complete Your Request” Due to Misconfigured or Expired Certificates on StoreFront
Complete the following steps on all the StoreFront servers to troubleshoot this issue:
- Open the IIS console > Servername > Server Certificates
1) Make sure the Certificate Issued To name matches the StoreFront Base URL.
2) Make sure the Expiration Date is not expired.
3) View the Certificate Details tab of the certificate, verify it contains a private key. If using a SAN certificate, make sure the StoreFront Base URL is listed under the subject alternative names. Wildcard certificates are also supported.
4) View the Certification Path tab of the certificate, confirm that all the Intermediate and Root certificates are properly installed to complete an SSL Handshake.
For more information regarding Server certificates, refer to Microsoft article
– Server Certificate Deployment
– Configure intermediate certificates on a computer that is running IIS for server authentication
- Open the IIS console > Servername > Sites > Default Web Site > Bindings.
1) Make sure there is a binding for HTTPS over port 443.
2) The SSL certificate matches the StoreFront Base URL.
3) The host name field is empty.
2) The SSL certificate matches the StoreFront Base URL.
3) The host name field is empty.
For more information regarding adding a binding, refer to Microsoft article – SSL Bindings
Related:
Citrix Director installation failed with error “dism component failed to install”.
Check the Xendesktop Installation.txt log to find out the feature that failed to install.
From the below log snippet, we could see that WCFàHTTP Activation feature was not enabled. Make sure this feature is enabled before you reinstall Citrix Director.
Xendesktop Installation.txt
12:24:46.9506 : XenDesktopSetup:Starting synchronous process ‘dism’ with args ‘/quiet /norestart /english /online /enable-feature /featurename:IIS-WebServerRole /featurename:IIS-WebServer /featurename:IIS-CommonHttpFeatures /featurename:IIS-StaticContent /featurename:IIS-DefaultDocument /featurename:IIS-DirectoryBrowsing /featurename:IIS-HttpErrors /featurename:IIS-HttpRedirect /featurename:IIS-ApplicationDevelopment /featurename:IIS-ASP /featurename:IIS-CGI /featurename:IIS-ISAPIExtensions /featurename:IIS-ISAPIFilter /featurename:IIS-ServerSideIncludes /featurename:IIS-HealthAndDiagnostics /featurename:IIS-HttpTracing /featurename:IIS-HttpLogging /featurename:IIS-LoggingLibraries /featurename:IIS-Performance /featurename:IIS-HttpCompressionStatic /featurename:IIS-HttpCompressionDynamic /featurename:IIS-WebServerManagementTools /featurename:IIS-ManagementConsole /featurename:IIS-LegacySnapIn /featurename:IIS-IIS6ManagementCompatibility /featurename:IIS-Metabase /featurename:IIS-LegacyScripts /featurename:IIS-ManagementScriptingTools /featurename:IIS-WMICompatibility /featurename:WAS-WindowsActivationService /featurename:WAS-ProcessModel /featurename:IIS-ASPNET45 /featurename:IIS-NetFxExtensibility45 /featurename:NetFx4Extended-ASPNET45 /featurename:WCF-HTTP-Activation45 /featurename:WAS-ConfigurationAPI /featurename:IIS-Security /featurename:IIS-BasicAuthentication /featurename:IIS-WindowsAuthentication /featurename:IIS-RequestFiltering /featurename:NetFx3ServerFeatures /logpath:”C:Users<Username>AppDataLocalTempCitrixXenDesktop InstallerIIS_Install.txt”‘
12:26:19.6932 : XenDesktopSetup:Process output:
12:26:19.6932 : XenDesktopSetup:Process output: Error: 50
12:26:19.6932 : XenDesktopSetup:Process output:
12:26:19.6932 : XenDesktopSetup:Process output: The operation is complete but WCF-HTTP-Activation45 feature was not enabled.
12:26:19.6932 : XenDesktopSetup:Process output: A required parent feature may not be enabled. You can use the /enable-feature /all option to automatically enable each parent feature from the following list. If the parent feature(s) are already enabled, refer to the log file for further diagnostics.
12:26:19.6932 : XenDesktopSetup:Process output: WCF-Services45
12:26:19.7002 : XenDesktopSetup:Process completed with error code 0x00000032
12:26:19.7172 $ERR$ : XenDesktopSetup:InstallComponent: Failed to install component ‘Microsoft Internet Information Services’. ‘dism’ component failed to install with error 0x00000032.
12:26:19.7172 $ERR$ : XenDesktopSetup:Recording installation failure. ‘dism’ component failed to install with error 0x00000032.
12:26:19.7172 PROC : XenDesktopSetup:InstallComponent: Exit
12:26:19.7172 : XenDesktopSetup:Install tasks for this session have finished.
12:26:19.7182 : XenDesktopSetup:Installation failed
IIS_Install.txt
Info DISM DISM Package Manager: PID=2076 TID=8732 Feature WCF-HTTP-Activation45 with CBS state 4(CbsInstallStateStaged) being mapped to dism state 4(DISM_INSTALL_STATE_STAGED) – CDISMPackageFeature::LogInstallStateMapping
Error DISM DISM Package Manager: PID=2076 TID=8732 Parent features must be enabled before this feature can be enabled. “WCF-HTTP-Activation45” – CPackageManagerCLIHandler::Private_ProcessFeatureChange
Error DISM DISM Package Manager: PID=2076 TID=8732 One or more features could not be enabled. – CPackageManagerCLIHandler::Private_ProcessFeatureChange(hr:0x80070032)
Error DISM DISM Package Manager: PID=2076 TID=8732 Failed while processing command enable-feature. – CPackageManagerCLIHandler::ExecuteCmdLine(hr:0x80070032)
Related:
How to best limit SQL injection attacks that are being funneled through an Apache proxy I control
The IIS server sends me emails if some bad actor attacks my site with an sql injection attack. It captures their IP address, and sends me the URL that …
Related:
Microsoft Exchange: 355000 Servers Lack Critical Patch
Governance & Risk Management , IT Risk Management , Patch Management
Fix Released in February Only Installed on 18 Percent of Servers, Rapid7 WarnsMathew J. Schwartz (euroinfosec) • April 8, 2020
Patch or perish alert: Less than than 20 percent of all Microsoft Exchange servers have received a fix for a serious flaw Microsoft first disclosed nearly two months ago, security firm Rapid7 warns.
See Also:Live Webinar | Can Medium-Sized Companies Automate Access to Critical Multi-Cloud IT Environments?
“As of March 24, there were over 350,000 Exchange servers exposing a version of the software that has this vulnerability,” writes Tom Sellers, a senior manager at Boston-based Rapid7 Labs, in a blog post.
The vulnerability could allow a remote attacker “to turn any stolen Exchange user account into a complete system compromise,” he says. “In many implementations, this could be used to completely compromise the entire Exchange environment – including all email – and potentially all of Active Directory” (see: Why Hackers Abuse Active Directory).
Microsoft addressed the remote-code-execution vulnerability – designated CVE-2020-0688 – via security updates it released on Feb. 11 for all supported versions of Microsoft Exchange. At least at that point, the flaw didn’t appear to have been targeted in the wild, the company said. The flaw was reported to Microsoft by an anonymous researcher via Trend Micro’s Zero Day Initiative.
“A remote-code-execution vulnerability exists in Microsoft Exchange Server when the server fails to properly create unique keys at install time,” Microsoft said in its security alert. “Knowledge of the validation key allows an authenticated user with a mailbox to pass arbitrary objects to be deserialized by the web application, which runs as SYSTEM. The security update addresses the vulnerability by correcting how Microsoft Exchange creates the keys during install.”
Security Updates Include Patch
To fix the flaw, Microsoft pushed security updates for four base versions of Exchange:
- Exchange Server 2010 service pack 3 update rollup 30;
- Exchange Server 2013 cumulative update 23;
- Exchange Server 2016 cumulative update 14;
- Exchange Server 2016 cumulative update 15;
- Exchange Server 2019 cumulative update 3;
- Exchange Server 2019 cumulative update 4.
But the vast majority of these servers remain unpatched, according to a survey conducted by Project Sonar, Rapid7’s in-house internet scanning project (see: Is COVID-19 Driving a Surge in Unsafe Remote Connectivity?).
“On March 24, we used Project Sonar to survey the internet for publicly facing Exchange Outlook Web App – OWA – services,” Sellers says. “What we found was that at least 357,629 (82.5 percent) of the 433,464 Exchange servers we observed were known to be vulnerable.”
Subsequently, Sellers added a caveat that 35,000 fewer servers might be vulnerable, owing to Microsoft’s fix for Exchange 2010 not updating the visible build information, meaning that scans alone could not tell if an Exchange 2010 system had been updated. Instead, organizations will need to manually verify that every such system has the update. Sellers says they should do the same for all Exchange 2013 and newer systems, noting that the build number alone should indicate if the relevant update is in place.
Check for Compromise
Rapid7 also recommends all organizations that use Exchange search for any signs that they have been compromised via this flaw.
“The exploit code that we tested with left log artifacts in the Windows Event Log and the IIS [Internet Information Services] logs on both patched and unpatched servers,” Sellers says, noting that the log error message will also name the compromised user account.
Because the attack requires a valid Exchange user account to succeed, “any user accounts seen in these exploitation attempts should be considered compromised,” Sellers says.
But Wait, There’s More
Unfortunately, the Project Sonar scans revealed more widespread problems than a lack of CVE-2020-0688 patching. Notably, Rapid7 researchers found 31,000 Exchange 2010 servers online that had received no updates since 2012, as well as 800 Exchange 2010 servers that have never been updated. It also saw 10,371 Exchange 2007 servers.
“In addition to the high numbers of servers that are missing multiple updates, there is a concerning number of Exchange 2007 and 2010 servers,” Sellers says, although he notes that Exchange 2007 is not vulnerable to CVE-2020-0688. Even so, the unsupported operating system long ago stopped receiving security updates, and now has a raft of critical flaws that attackers could exploit. “Exchange 2007 transitioned to ‘end of support’ status nearly three years ago, on April 11, 2017,” he says. “No security updates, bug fixes, time zone updates, etc., are provided after that date.”
Exchange 2010 was scheduled to reach end of support on Jan. 14, although that’s now been postponed until Oct. 13, 2020. “There are over 166,000 of these servers connected to the internet,” Sellers says. “That’s a staggering number of enterprise-class mail systems that will be unsupported in a few months.”
Related:
How do I convince my Firewall that my request isn’t an SQL injection attack?
I built one application in core php which is hosted on IIS server and windows 8 PC. WAF security is added on this application. When I submit the …
Related:
Symantec VIP Integration with IIS 6.2
I need a solution
Hello everyone,
I need a suggestion from the community of the integration that I am trying to build between Symantec VIP Access and IIS on Windows Server 2012 R2.
I have followed the integration guide for VIP – IIS Integration and I have installed the software as it’s explained in the guide (https://help.symantec.com/cs/VIP_Integrate_with_IIS/)
I have configured the software and testing from the software is working fine with a sample VIP code.
I have added IIS Module for the application in IIS as it was explained in the guide.
We have a login page (login.aspx) that we are asking for the user to enter username, password and VIP code.
In the login page, as it was explained in the user guide, I have added the extra code for the Symantec VIP integration which is;
Security Code : <asp:Textbox id=”SecurityCode” runat=”server” /><br />
<p></p>
<asp:Textbox id=”SymcUserName” Text=”<User name field>=” style=”display:none”
runat=”server” /><br />
– My first question is, I do not know and not quiet sure what do I need to replace “User name field” with. Do I need to completely remove it and keep it blank? Please suggest me a solution there.
Also for the web.config file, under the “connectionStrings”, we have defined our DC for the authentication
<connectionStrings>
<add name=”ADConnectionString” connectionString=”LDAP://OurDomainController/DC=domain,DC=com” />
<add name=”BeyondReportsDbEntities” connectionString=”metadata=res://*/App_Code.Model.csdl|res://*/App_Code.Model.ssdl|res://*/App_Code.Model.msl;provider=System.Data.SqlClient;provider connection string="data source=localhost;initial catalog=Reporting;user id=reports;password=be_re123#;multipleactiveresultsets=True;App=EntityFramework"” providerName=”System.Data.EntityClient” />
<add name=”DBReadOnlyUser” connectionString=”metadata=res://*/App_Code.Model.csdl|res://*/App_Code.Model.ssdl|res://*/App_Code.Model.msl;provider=System.Data.SqlClient;provider connection string="data source=localhost;initial catalog=Database;user id=ex_reports;password=be_re123#;multipleactiveresultsets=True;App=EntityFramework"” providerName=”System.Data.EntityClient” />
</connectionStrings>
<appSettings>
– My second question is, do we need to add any fields for the Symantec VIP integration in the web.config file?
With this state, in login.aspx, our IIS server is not sending any packets to our Symantec VIP Enterprise Gateway servers. So I think we are missing something there.
I would appreciate if you would help me out with this integration.
Best regards
0
Related:
Error: “The underlying connection was closed: An unexpected error occurred on a send.” when querying Monitoring Service’s OData endpoint
To fix this issue, enforce use of TLS 1.2 on the client machine. Add the following registry entries, so the clients such as MS Excel, PowerShell, LinqPad use TLS 1.2 by default.
Please follow the below mentioned steps depending on your platform.
Windows Server Version 1709 / Windows 2016 / Windows 10 (for IIS Manager and Web Deploy)
Set the SchUseStrongCrypto registry key by saving the below code to enableTLS12.reg and running it:
Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFrameworkv4.0.30319]"SchUseStrongCrypto"=dword:00000001[HKEY_LOCAL_MACHINESOFTWAREWow6432NodeMicrosoft.NETFrameworkv4.0.30319]"SchUseStrongCrypto"=dword:00000001
Windows 2012 R2 / 2012 / Windows 8.1 / Windows 8 (for IIS Manager and Web Deploy)
Set the SchUseStrongCrypto registry key by saving the below code to enableTLS12.reg and running it:
Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFrameworkv4.0.30319]"SchUseStrongCrypto"=dword:00000001[HKEY_LOCAL_MACHINESOFTWAREWow6432NodeMicrosoft.NETFrameworkv4.0.30319]"SchUseStrongCrypto"=dword:00000001
Alternatively, install one of the following updates:
Windows 2012 R2, Windows 8.1: https://support.microsoft.com/en-us/kb/2898850
Windows 2012, Windows 8: https://support.microsoft.com/en-us/kb/2898849
Windows 2008 R2 / Windows 7 (for Web Deploy with NetFX 4.5.2 installed)
Follow the steps mentioned under Windows Server 2012 R2/Windows Server 2012 to enable SchUseStrongCrypto either through the registry or by installing the update in the applicable KB article.
Additionally, you must set the following registry keys, as Windows 2008 R2 and Windows 7 do not enable TLS 1.1 or TLS 1.2 by default. Save below code to enableTLS12.reg and run it:
Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocols][HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.1][HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.1Client]"DisabledByDefault"=dword:00000000[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.1Server]"DisabledByDefault"=dword:00000000[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.2][HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.2Client]"DisabledByDefault"=dword:00000000[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.2Server]"DisabledByDefault"=dword:00000000
Then, restart the computer.
Windows 2008 R2 / Windows 7
Install the NetFX update (KB3154518) that enables TLS 1.2 in .NET Framework 3.5.1: https://support.microsoft.com/en-us/kb/3154518
Then, set the following registry key by saving the below code to enableTLS12.reg and running it:
Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFrameworkv2.0.50727]"SystemDefaultTlsVersions"=dword:00000001[HKEY_LOCAL_MACHINESOFTWAREWow6432NodeMicrosoft.NETFrameworkv2.0.50727]"SystemDefaultTlsVersions"=dword:00000001
Additionally, you must set the following registry keys because Windows 2008 R2 and Windows 7 do not enable TLS 1.1/1.2 by default. below code to forceTLS1.2.reg and run it:
Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocols][HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.1][HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.1Client]"DisabledByDefault"=dword:00000000[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.1Server]"DisabledByDefault"=dword:00000000[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.2][HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.2Client]"DisabledByDefault"=dword:00000000[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.2Server]"DisabledByDefault"=dword:00000000
Restart the computer.