Supported Security Configuration Remediations

Last updated: December 23, 2025

In addition to software patching, Cyrisma supports remediation of select security configuration issues through direct system changes. These remediations address misconfigurations commonly flagged during vulnerability and secure baseline scans.

Disabling Obsolete SSL Versions (POODLE Vulnerability)

  • Root Cause: Obsolete SSL version (SSL 3.0) enabled.

  • CVE: CVE-2014-3566

  • Description: The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue.

  • Remediation: This patch disables SSL 3.0 to prevent its use in communication protocols.

  • Registry Changes:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Client]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

 

Disabling Obsolete TLS Versions (Sweet32 Vulnerability)

  • Root Cause: Obsolete TLS versions (TLS 1.0 and TLS 1.1) enabled.

  • CVE: CVE-2016-2183

  • Description: The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack.

  • Remediation: This patch disables TLS 1.0 and TLS 1.1 protocols.

  • Registry Changes:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

 

Disabling Weak Cipher Suites

  • Root Cause: Weak Cipher Suites (e.g., DES, RC4) enabled.

  • CVE: CVE-CRSM-0001 

  • Description: Weak cipher suites like DES, RC4, and NULL encryption provide insufficient security and are deprecated.

  • Remediation: This patch disables all weak cipher suites.

  • Registry Changes:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002]
@="NCRYPT_SCHANNEL_INTERFACE"
"Functions"=hex(7):54,00,4c,00,53,00,5f,00,41,00,45,00,53,00,5f,00,32,00,35,00,\
  36,00,5f,00,47,00,43,00,4d,00,5f,00,53,00,48,00,41,00,33,00,38,00,34,00,00,\
  00,54,00,4c,00,53,00,5f,00,41,00,45,00,53,00,5f,00,31,00,32,00,38,00,5f,00,\
  47,00,43,00,4d,00,5f,00,53,00,48,00,41,00,32,00,35,00,36,00,00,00,54,00,4c,\
  00,53,00,5f,00,45,00,43,00,44,00,48,00,45,00,5f,00,45,00,43,00,44,00,53,00,\
  41,00,5f,00,57,00,49,00,54,00,48,00,5f,00,41,00,45,00,53,00,5f,00,32,00,35,\
  00,36,00,5f,00,47,00,43,00,4d,00,5f,00,53,00,48,00,41,00,33,00,38,00,34,00,\
  00,00,54,00,4c,00,53,00,5f,00,45,00,43,00,44,00,48,00,45,00,5f,00,45,00,43,\
  00,44,00,53,00,41,00,5f,00,57,00,49,00,54,00,48,00,5f,00,41,00,45,00,53,00,\
  5f,00,31,00,32,00,38,00,5f,00,47,00,43,00,4d,00,5f,00,53,00,48,00,41,00,32,\
  00,35,00,36,00,00,00,54,00,4c,00,53,00,5f,00,45,00,43,00,44,00,48,00,45,00,\
  5f,00,52,00,53,00,41,00,5f,00,57,00,49,00,54,00,48,00,5f,00,41,00,45,00,53,\
  00,5f,00,32,00,35,00,36,00,5f,00,47,00,43,00,4d,00,5f,00,53,00,48,00,41,00,\
  33,00,38,00,34,00,00,00,54,00,4c,00,53,00,5f,00,45,00,43,00,44,00,48,00,45,\
  00,5f,00,52,00,53,00,41,00,5f,00,57,00,49,00,54,00,48,00,5f,00,41,00,45,00,\
  53,00,5f,00,31,00,32,00,38,00,5f,00,47,00,43,00,4d,00,5f,00,53,00,48,00,41,\
  00,32,00,35,00,36,00,00,00,54,00,4c,00,53,00,5f,00,45,00,43,00,44,00,48,00,\
  45,00,5f,00,45,00,43,00,44,00,53,00,41,00,5f,00,57,00,49,00,54,00,48,00,5f,\
  00,41,00,45,00,53,00,5f,00,32,00,35,00,36,00,5f,00,43,00,42,00,43,00,5f,00,\
  53,00,48,00,41,00,33,00,38,00,34,00,00,00,54,00,4c,00,53,00,5f,00,45,00,43,\
  00,44,00,48,00,45,00,5f,00,45,00,43,00,44,00,53,00,41,00,5f,00,57,00,49,00,\
  54,00,48,00,5f,00,41,00,45,00,53,00,5f,00,31,00,32,00,38,00,5f,00,43,00,42,\
  00,43,00,5f,00,53,00,48,00,41,00,32,00,35,00,36,00,00,00,54,00,4c,00,53,00,\
  5f,00,45,00,43,00,44,00,48,00,45,00,5f,00,52,00,53,00,41,00,5f,00,57,00,49,\
  00,54,00,48,00,5f,00,41,00,45,00,53,00,5f,00,32,00,35,00,36,00,5f,00,43,00,\
  42,00,43,00,5f,00,53,00,48,00,41,00,33,00,38,00,34,00,00,00,54,00,4c,00,53,\
  00,5f,00,45,00,43,00,44,00,48,00,45,00,5f,00,52,00,53,00,41,00,5f,00,57,00,\
  49,00,54,00,48,00,5f,00,41,00,45,00,53,00,5f,00,31,00,32,00,38,00,5f,00,43,\
  00,42,00,43,00,5f,00,53,00,48,00,41,00,32,00,35,00,36,00,00,00,54,00,4c,00,\
  53,00,5f,00,45,00,43,00,44,00,48,00,45,00,5f,00,45,00,43,00,44,00,53,00,41,\
  00,5f,00,57,00,49,00,54,00,48,00,5f,00,41,00,45,00,53,00,5f,00,32,00,35,00,\
  36,00,5f,00,43,00,42,00,43,00,5f,00,53,00,48,00,41,00,00,00,54,00,4c,00,53,\
  00,5f,00,45,00,43,00,44,00,48,00,45,00,5f,00,45,00,43,00,44,00,53,00,41,00,\
  5f,00,57,00,49,00,54,00,48,00,5f,00,41,00,45,00,53,00,5f,00,31,00,32,00,38,\
  00,5f,00,43,00,42,00,43,00,5f,00,53,00,48,00,41,00,00,00,54,00,4c,00,53,00,\
  5f,00,45,00,43,00,44,00,48,00,45,00,5f,00,52,00,53,00,41,00,5f,00,57,00,49,\
  00,54,00,48,00,5f,00,41,00,45,00,53,00,5f,00,32,00,35,00,36,00,5f,00,43,00,\
  42,00,43,00,5f,00,53,00,48,00,41,00,00,00,54,00,4c,00,53,00,5f,00,45,00,43,\
  00,44,00,48,00,45,00,5f,00,52,00,53,00,41,00,5f,00,57,00,49,00,54,00,48,00,\
  5f,00,41,00,45,00,53,00,5f,00,31,00,32,00,38,00,5f,00,43,00,42,00,43,00,5f,\
  00,53,00,48,00,41,00,00,00,00,00

 

Enabling WinTrust Certificate Padding Check

  • Root Cause: WinTrust EnableCertPaddingCheck was disabled.

  • CVE: CVE-2013-3900

  • Description: The WinVerifyTrust function in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not properly validate PE file digests during Authenticode signature verification, which allows remote attackers to execute arbitrary code via a crafted PE file, aka "WinVerifyTrust Signature Validation Vulnerability."

  • Remediation: This patch enables the EnableCertPaddingCheck setting to ensure proper validation.

  • Registry Changes:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config]   
"EnableCertPaddingCheck"="1"

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config] 
"EnableCertPaddingCheck"="1"