User Manual

Cybersecurity Concepts – How to Secure the System

Web Browser Security

68 | 85

A6V11646120_enUS_b_40

3.12 Web Browser Security

When using any web browser to run a Desigo CC client, a special attention is required

for the security settings of the web browser. Make sure the saving function for

credentials is disabled in the web browser setting.

Update to TLS 1.2 as default secure protocols in Windows

Transport Layer Security (TLS) is a protocol that provides privacy and data integrity

between two communicating applications and is the most widely deployed security

protocol used today. TLS is used for web browsers and other applications that require

data to be securely exchanged over a network and ensures that a connection to a

remote endpoint is the intended endpoint through encryption and endpoint identity

verification. Client-server applications use the TLS protocol to communicate across a

network in a way designed to prevent eaves dropping and tampering. There are

known vulnerabilities associated with SSL 3.0/TLS 1.0 which allow adversaries to

monitor/intercept traffic and decrypt secure transmissions. Updating to TLS 1.2

provides an enhanced level of encryption to protect our network.

See how to Update to enable TLS 1.1 and TLS 1.2 as default secure protocols in

WinHTTP in Windows.

Enable Strong cryptography for components targeted for

framework .NET 4.5

For enabling the cryptography these entries must be specified:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NetFramework\v4.0.30319

SchUseStrongCrypto (type = DWORD, Value = 1 hexadecimal

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NetFramework

\v4.0.30319

SchUseStrongCrypto (type = DWORD, Value = 1 hexadecimal)

Optional: Disable TLS 1.0 and TLS 1.1

Desigo CC runs on TLS 1.2. As soon as TLS 1.2 is enabled, and no other software

uses TLS 1.0 and TLS 1.1 then TLS 1.0 and TLS 1.1 can be disabled on the server.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityPro

viders\SCHANNEL\Protocols\TLS 1.0\Server

Enabled (type = DWORD, Value = 0 hexadecimal)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityPro

viders\SCHANNEL\Protocols\TLS 1.1\Server

Enabled (type = DWORD, Value = 0 hexadecimal)

Update PresentationHost.exe to TLS 1.2

By default, the XBAP client runs using TLS 1.0 even if TLS 1.2 is enabled on all

machines at the customer’s site. The browser connects using TLS 1.2, but Microsoft

PresentationHost.exe (which executes our XBAP client) reconnects using TLS 1.0.

So not only the OS, but also the PresentationHost.exe must use TLS 1.2. There is no

official support site from Microsoft dedicated only to this issue; only generic

information such as:

https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls