7.13 Ensure AES 256/256 Cipher Suite is enabled

Information

AES 256/256 is the most recent and mature cipher suite for protecting the confidentiality and integrity of HTTP traffic. Enabling AES 256/256 is recommended. This is enabled by default on Server 2012 and 2012 R2.

Rationale:

Enabling this cipher will help ensure the confidentiality and integrity of data in transit.

Solution

To enable the AES 256/256 cipher:
1. Ensure that the following key does not exist. If it does exist, you can either delete the key or proceed to step 2.

HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 256/256\

2. If the key exists, ensure the following is set to 0xFFFFFFFF.

HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 256/256\Enabled

See Also

https://workbench.cisecurity.org/benchmarks/14293