Disable TLS 1.0 in Windows Server Essentials - …

1 Disable TLS in Windows Server Essentials Robert Pearman Contents 2 Baseline .. 3 Essentials 3 Essentials 3 Essentials 2012 R2 .. 3 configuring Essentials 2011 .. 4 Disable TLS .. 4 Review Configuration .. 5 configuring Essentials 2012 .. 7 configuring Essentials 2012 R2 .. 8 Conclusion .. 9 Introduction In a recent blog article I discussed disabling in SBS 2011 Standard, the process of doing so, the unexpected consequences and workarounds you need to employ to keep your Server running. It was written because, from June 30th 2016 having TLS enabled on a public facing Server will be considered a security risk and a failure for PCI Compliance scanning.

2 On top of that, it should also be considered a best practice to Disable this out of date protocol. The main caveat of having done this on SBS 2011 Standard, is that the Remote Desktop Gateway is no longer accessible from external Windows 7 clients. Windows Server Essentials , and the earlier Small Business Server 2011 Essentials use SSL in additional ways to SBS Standard, not least of which is the Essentials Dashboard which is one of the main components of the Essentials network. In this article we will explore disabling TLS and review any workarounds or fixes we need to put in place afterwards.

3 Baseline Before we begin adjusting our Essentials Servers I thought it would be useful to draw a baseline of the three variations of Essentials . I am not looking at Home Server 2011 or Storage Server 2008 R2 Essentials . Essentials 2011 Essentials 2012 Essentials 2012R2 F C C Table 1 1 SSL Tested by Qualys SSL Labs Essentials 2011 Essentials 2011 scored an F on the Qualys SSL Scan, primarily this is because SSL is enabled and that limits it s score to an F. It would have scored a C if not for that. Essentials 2012 Essentials 2012 scored a C with its installation defaults, not being hardened against the POODLE attack stopped it from achieving a B rating.

4 Essentials 2012 R2 Essentials 2012 R2 also scored a C with its installation defaults, again not being hardened against the POODLE attack by supporting SSL stopped it from achieving a B rating. configuring Essentials 2011 Having written about TLS hardening before, I already know that we can leverage a very useful PowerShell script to Disable old and unsupported protocols and ciphers. In my opinion using a script for something like this is perfect, firstly because the process of creating registry keys is dull repetitive work, second it is prone to human error and finally because it will take ages.

5 Disable TLS The script we need to collect is available from here and we simply copy and paste this into either notepad to run later, or directly into PowerShell. In PowerShell execute: .\ <insert picture> It took literally seconds to apply these fixes via the script, which is not even long enough for registry editor to open. After you have applied the fix, you will need to restart. We can then re-run our Qualys test to see how we are performing and determine if additional steps are required. Pre Fix Post Fix F A We can see that applying this script has significantly improved our score, however at this point TLS is still enabled.

6 Confirming all is ok before we proceed any further, we can see that the Dashboard is functioning and client computer status is being reported. Moving on to Disable TLS , we need to edit the registry. Navigate to: HKLM>System>CurrentControlSet>Control>Se curityProviders>SCHANNEL>Protocols> > Server You will see two DWORD entries. Amend DisabledByDefault to be 1 and Enabled to be 0 You then need to reboot for this change to take effect. After a reboot we can begin to look at what may now be broken. Review Configuration On first glance, all the services that are required to be running are indeed running and there are no SQL databases to be worried about.

7 ON SBS 2011 Standard an additional GPO Change was required to allow the use of FIPS Compliant Algorithms which allowed SQL 2008 R2 to function when TLS was disabled. Next we can take a look at the Dashboard. On my LAB network I have three Essentials 2011 Clients, Windows 7, and 10. Upon opening the Dashboard I immediately see that the normal Alerts section shows No Data and progressing through each tab we see no populated data for Users, Computers or Server Folders. In the file I can see issues connecting to the Provider Registry Service. Logging into the RWA was also affected, which I suspect is due to a reliance on linking through to the Windows Server Services.

8 Reversing the Registry change to Enable TLS and rebooting, all components of the Dashboard now work again. Disabling and Enabling the FIPS algorithms as in SBS 2011 Standard actually made the issue worse with the Dashboard unable to open at all. Digging a little deeper we can see in the file, that the issue seems to be the client and Server cannot communicate, because they do not possess a common algorithm . Digging further we can find that the issues appears to be related to the .NET Framework and that it is attempting to use the now disabled TLS There have been patches released that allow.

9 NET to function using TLS however whilst those patches may be installed it also requires the code being running to be updated to use that. I brought this up with Microsoft and was directed to several updates that I should install. I confirmed I had already installed these updates and that the problem remained. After a short period of internal testing Microsoft explained I needed to upgrade to .NET on the Server and that this would allow the Dashboard and associated services to function, with one major caveat, Client PC Backups would no longer function. Updating to .NET took quite a long time on my Lab system, at least an hour, after rebooting I opened the Dashboard.

10 The Dashboard opened successfully and displayed Alerts, Devices and Users successfully, although as expected Client computers showed as Offline. I tested a Server backup which completed successfully, then I moved to my first client PC to install .NET to see if it would then appear as Online in the Dashboard. After a reboot of the Windows 7 machine, it appears in the Dashboard as online with the alert status also showing correctly. On Windows the same is true, on Windows 10 .NET is already installed, but I noticed I had to manually start some of the services in order for it to appear Online in the Dashboard, which could just have been an odd occurrence in my Lab environment.