SSL/TLS Hardening

Shown to remediate multiple vulnerabilities, including BEAST, Poodle, and various birthday attacks

• Navigate to C:\Program Files\NSClient++\NSClient.ini
• Change the values at WEBSERrer and NSCAClient from 1 to 0

• Most servers do not let you save the file directly in the NSCLient++ folder. However, if you save it to Documents and then move it into NSCLient++, it will allow you to replace the original
• Run regedit to access Registry
• Export Registry to create a backup
• Navigate to HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\

• Create Keys for SSL 3.0, TLS 1.0, and TLS 1.1 (I delete the SSL 2.0 key and remake it to my own specifications as well, though this shouldn’t be necessary)

• Create a Client and a Server key for each one
• Create a DWORD called DisabledByDefault for each Client and Server Key, and set the value to 1
• Restart Server, as soon as it is safe and approved to do so
• These steps should have remediated common SSL/TLS issues (BEAST, Poodle, etc.) but always perform a secondary scan to confirm after the remediation steps are complete and the server has been restarted