ALPHA, COMING SOON

Study CryptoConfig

Windows SCHANNEL configuration utility · v1.0.3.2

Harden TLS on Windows without touching the registry by hand. Toggle protocols by Client and Server role, order cipher suites, apply one of six built-in templates, and export a deployable PowerShell script or .reg file. Portable executable, no installer.

TLS 1.2 / 1.3Cipher Suite ManagementPowerShell ExportRegistry ExportBest PracticesPCI DSS 4.0Genetec SC 5.11+CIS Benchmark L1 / L2FIPS 140-2Zero Install

App preview, Protocols tab

STUDY CRYPTOCONFIG WINDOWS SCHANNEL CONFIGURATION UTILITY · HANS STUDY Hans Study, CISSP v1.0.3.2 TEMPLATES Best Practices CIS Benchmark Genetec SC 5.11+ PCI DSS 4.0 FIPS 140-2 Windows Default Current guidance: TLS 1.2 / 1.3 only, ECDHE+GCM ciphers, no CBC, SHA-256+ hashes. Aligned with NIST SP 800-52 Rev 2 (2024). Protocols Cipher Suites Hashes Key Exchange SSL / TLS PROTOCOL CONFIGURATION, CLIENT AND SERVER ROLES INDEPENDENT PROTOCOL CLIENT ROLE SERVER ROLE SSL 2.0 INSECURE DISABLED DISABLED SSL 3.0 INSECURE DISABLED DISABLED TLS 1.0 INSECURE DISABLED DISABLED TLS 1.2 ENABLED ENABLED TLS 1.3 ENABLED ENABLED HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\(Protocol)\(Client|Server) EXPORT POWERSHELL (.ps1) REGISTRY (.reg) Run as Administrator · Reboot required after apply
PROTOCOLS TAB, SSL 2.0 through TLS 1.3, Client and Server roles independently controlled

App preview, Cipher Suites tab

STUDY CRYPTOCONFIG WINDOWS SCHANNEL CONFIGURATION UTILITY · HANS STUDY Hans Study, CISSP v1.0.3.2 TEMPLATES Best Practices CIS Benchmark Genetec SC 5.11+ Current guidance: TLS 1.2 / 1.3 only, ECDHE+GCM ciphers, no CBC, SHA-256+ hashes. Aligned with NIST SP 800-52 Rev 2 (2024). Protocols Cipher Suites Hashes Key Exchange CIPHER SUITE ORDER, PRIORITY DESCENDING, CLICK ROW TO TOGGLE STRONG ONLY MEDIUM + STRONG ENABLE ALL DISABLE ALL 7 / 22 ENABLED # CIPHER SUITE STRENGTH TLS 1.3 1 TLS_AES_256_GCM_SHA384 STRONG YES 2 TLS_AES_128_GCM_SHA256 STRONG YES 3 TLS_CHACHA20_POLY1305_SHA256 STRONG YES 4 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 STRONG -- 5 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 STRONG -- 8 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 MEDIUM -- 9 TLS_RSA_WITH_AES_256_GCM_SHA384 MEDIUM -- HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002 EXPORT POWERSHELL (.ps1) REGISTRY (.reg) Run as Administrator · Reboot required after apply
CIPHER SUITES TAB, ordered priority list, click to toggle, quick filter buttons, enabled count

What it does

Protocol Control
Enable or disable SSL 2.0 through TLS 1.3 independently for Client and Server roles. Clear insecure flags on anything that should not be running in a production environment.
Cipher Suite Ordering
Full Windows SCHANNEL cipher list with strength classification. Click any row to toggle. Exported PowerShell sets the priority order via the Cryptography policy key, no Group Policy editor required.
Six Built-in Templates
Best Practices (NIST SP 800-52 Rev 2), CIS Benchmark L1 / L2, Genetec Security Center 5.11+, PCI DSS 4.0, FIPS 140-2, and Windows Default. One click, everything configured.
PowerShell + REG Export
Generate a deployable .ps1 or importable .reg file from any configuration. Every export includes author, version, and copyright header. Copy to clipboard or download directly.
Genetec-Aware
Dedicated Genetec SC 5.11+ template tuned for Security Center deployments. Accounts for mixed Omnicast and SV32 environments where legacy Archivers are still in the field.
Portable EXE, Zero Install
Single portable executable. Drop it on a USB, a technician share, or a jump server. UAC elevation is built into the manifest. No installer, no registry entries for the app itself.

Want a heads-up when the alpha drops? Send a note to contact@hans.study with "Study CryptoConfig" in the subject and you will be on the list.