0

I'm using GPPs to deliver some registry values and grabbed these using the Registry Wizard tool. This has created a collection with folder structure underneath. I want to use Item-level targeting to apply these so assigned this at the top collection level. The impression I get from research is that the idea of this is that this setting should propagate down to all values, however, don't get applied.

If I set this on a single registry value below this level it does get applied so clearly there's something blocking this.

There's too many values to set this manually on each so really could do with getting this working.

To give a little background, I'm trying to set SCHANNEL Ciphers, Hashes, KeyExchangeAlgorithms and Protocols to IISCrypto Best practices. I noticed there's a GPO setting under "Local Policies>Security Options>System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" which sounds like it should set what I'm trying to set here but doesn't appear to change these registry values either so abandoned this method.

Any ideas?

jshizzle
  • 351
  • 11
  • 29

2 Answers2

0

The Policy

Computer Configuration\Windows Settings\Local Policies\Security Options\System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing

does directly affect the registry item

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy\Enabled

and sets it to either 0 or 1.

If you don't see any changes, you are looking at the wrong place.

Daniel
  • 6,940
  • 6
  • 33
  • 64
  • Ah ok thanks for that. The registry item you reference is present and showing as enabled so looks good, however, the following key and keys/values below do not show any change and is where I've been checking. HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL When using the tool IISCrypto to set these client side protocols these changes were reflected in the above key structure so naturally was checking here after the changes I made and would have thought the system cryptography GPO setting would modify these too? – jshizzle Dec 14 '16 at 11:17
  • I only realized that there was a policy setting after I tried to set this through preferences. When the policy setting didn't appear to work I went back to trying to deliver this through preferences and then logged this due to it not appearing to apply. – jshizzle Dec 14 '16 at 11:20
  • Thinking about this, I'd rather have more granular control over which cryptography algorithms are used anyway. The policy setting doesn't give this so ideally would like this being pushed out via preferences as I was originally trying to do. – jshizzle Dec 14 '16 at 11:30
  • I don't find any policy setting or template that modifies `HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHA‌​NNEL`. – Daniel Dec 14 '16 at 11:31
0

Bah, it was down to the registry collection wizard not populating the Hive value in the preference as part of the process. Weird thing is that this value was already selected when viewing each value's properties so it knew what it should be. Re-selecting this and applying set this properly.

Thanks for your advice anyway.

jshizzle
  • 351
  • 11
  • 29