1

I want to add some registry using WiX installer. Here's my code:

<DirectoryRef Id="TARGETDIR">
  <Component Id="DisableWeakCipherSuites" Guid="7DBE2D50-3C00-4CEF-86CC-897C0C96E7FF" KeyPath="yes">
    <RegistryKey Key="SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128" Root="HKLM" Action="createAndRemoveOnUninstall">
      <RegistryValue Name="Enabled" Value="0" Type="integer" />
    </RegistryKey>
    <RegistryKey Key="SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168" Root="HKLM" Action="createAndRemoveOnUninstall">
      <RegistryValue Name="Enabled" Value="0" Type="integer" />
    </RegistryKey>
    <RegistryKey Key="SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128" Root="HKLM" Action="createAndRemoveOnUninstall">
      <RegistryValue Name="Enabled" Value="0" Type="integer" />
    </RegistryKey>
    <RegistryKey Key="SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128" Root="HKLM" Action="createAndRemoveOnUninstall">
      <RegistryValue Name="Enabled" Value="0" Type="integer" />
    </RegistryKey>
  </Component>
</DirectoryRef>

But instead of adding these keys into CurrentControlSet, installer adds those keys into ControlSet001.

user2412672
  • 1,459
  • 3
  • 20
  • 36
  • What kind of server? Terminal server? – Stein Åsmul Sep 06 '19 at 15:57
  • [Would it be better to disable by group policy](https://docs.vmware.com/en/VMware-Horizon-7/7.9/horizon-client-agent-security/GUID-FC2EB030-4D0F-4AA6-9273-0F14A67ADC73.html)? Or are you making a package for large scale distribution? – Stein Åsmul Sep 06 '19 at 16:51

1 Answers1

0

Core OS Keys: Having looked at this briefly - and certainly being no expert at cryptographic algorithms and protocols - I am a bit skeptical to the use of MSI to do this tweak. Due to ever changing OS protection features - that are hard to predict and sometimes change - I am not sure it is a good idea to hack these keys directly - although some articles state that it is OK. If possible, I would use group policy to set the keys?

Component GUID: There are some further challenges when using MSI for settings like these. I have an older answer on serverfault on why registry settings packages are dangerous. The main problem is that once you point a component GUID at some key path (registry or otherwise), your MSI thinks it "owns the key" and will happily rip it out on uninstall. This may or may not be what you want. You need to be aware of this and account for it in your design and testing. You can set the component permanent to leave it on uninstall or set the component with a blank GUID.

Custom Action: It is possible to write to these keys using a custom action that runs elevated in system context. I am always telling people to avoid custom actions if they can, but this purpose seems to be a candidate: it is sort of new and not supported by tools (so far as I know). Hence it fits as something a custom action could be used to do. This will also yield more control of what to do on uninstall and install in terms of inspecting what is already there or make more informed changes on uninstall.

Be aware that custom action code is complicated to test, hard to debug and has challenges with impersonation (security context it runs in), sequencing and conditioning (when it runs - in what installation mode: install, repair, modify, uninstall, etc...). Custom actions are hard to do well. Plain and simple.

Stein Åsmul
  • 39,960
  • 25
  • 91
  • 164