The first class that I took on Microsoft Windows was with a very nice French-Canadian instructor whose name I think was Denis. He told an interesting story that I wish I had retained the details of. He told us that following The Great War (WW1), the government of France decided that codes and secrets and encrypted messages had contributed greatly to the atmosphere that caused the war. With that, they decided that encryptions would be heavily regulated. It was because of this, Denis assured us, that while for the rest of the world Windows 2000 installed with 56-bit encryption as the default (with the option of kicking it up to 128-bit encryption), when you installed Windows 2000 in French, the default would be 40-bit encryption.
I am not entirely sure how true this story is, but I do remember the 40-bit encryption issue. Whatever the true origins of the story might be, that was real.
I have a customer that I have been working with who requires their servers be installed in French. Even in the Province of Quebec that is not as common as you might think, but it is the case with this customer, and I respect it and have no issue with it. Except that one problem kept coming up that was baffling me. I could not install PowerShell modules. To be fair, I could import PowerShell modules that had been downloaded onto other computers without a problem. I simply could not use the Install-Module cmdlet. I would receive the following error:
Now I am not sure if this is directly related to the French laws drafted after The Great War, but I do know that this is not something I have ever come across on an English language server. I did some digging, and sure enough there were some security protocols missing. I ran the following cmdlet and discovered that I only had Ssl3 and Tls…
[Net.ServicePointManager]::SecurityProtocol
Okay, that’s not right. We need Tls 1.2 for this to work. So I ran the following cmdlets to modify the registry:
Set-ItemProperty -Path ‘HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v4.0.30319’ -Name ‘SchUseStrongCrypto’ -Value ‘1’ -Type DWord
Set-ItemProperty -Path ‘HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319’ -Name ‘SchUseStrongCrypto’ -Value ‘1’ -Type DWord
These set strong cryptography on both 32-bit and 64-bit .Net Framework (version 4 and up).
You have to shut down all open PowerShell consoles, and then when you open them up fresh and run the same cmdlet as above you get:
[Net.ServicePointManager]::SecurityProtocol
Okay, now Tls 1.2 is installed, and we are able to proceed with the installation of our PowerShell modules.
**NOTE: Before you do this, make sure you speak with your Security and Compliance teams. They might have a good reason for you to not do these. If that is the case, you can ask for an exception window. Say, you can open the protocols for an hour. After you are done, to close them use the following:
Set-ItemProperty -Path ‘HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v4.0.30319’ -Name ‘SchUseStrongCrypto’ -Value ‘0’ -Type DWord
Set-ItemProperty -Path ‘HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319’ -Name ‘SchUseStrongCrypto’ -Value ‘0’ -Type DWord
Conclusion
There is a saying that just because you can do something does not necessarily mean that you should. Decisions you make alone in your lab are fine for you… but when your actions affect the security of a larger organization, it is a good idea to get sign-off from the powers that be before you make any change.
The World According to Mitch 
Leave a Reply