Improving SSL Security (for SSL Labs test)

It's worth installing all the available Windows Security updates before proceeding with these fixes.

Weak Diffie-Hellman and the Logjam Attack

Based on this Windows security advisory article: https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2016/3174644?redirectedfrom=MSDN

You need to set a larger key size, with the default key size of 1024 bits it is possible to crack the encryption and then downgrade the encryption protocol in order to eavsedrop on SSL traffic.

Create an empty text file called dhfix.reg and paste the following content, then double click on it to apply these settings.
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]
"ServerMinKeyBitLength"=dword:00000800

This server accepts RC4 cipher, but only with older protocols.

As part of the RC4 suite the older MD5 and SHA algorithms are considered to be weak so they need to be disabled.

Advice is that you MUST first install security update 2868725 , note: this is already included as part of Windows Server 2012 R2.

Create an empty text file called rc4fix.reg and paste the following content, then double click on it (or right click and open with regedit) to apply these settings.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
"Enabled"=dword:00000000