Removing TLS 1.0 & 1.1 from TAC Gateway

Removing TLS 1.0 & 1.1 from the PortSys TAC Gateway.

Encryption and parameters for the  PortSys TAC Gateway are provided by its Windows Server 2012R2 host.  Therefore, removing TLS 1.0 from the TAC Gateway requires removing it from it's Windows Server.

Over time, older encryption suite vulnerabilities are discovered and should be deprecated.  The challenge for systems administrators is to understand what programs and services may be broken by removing obsolete encryption techniques.   PortSys recommends thorough testing of  corporate systems prior to removing vulnerable encryption protocols, hashes and digests.

Microsoft has deprecated the entire SSL suite.  TLS 1.0 and TLS 1.1 is now also known to be vulnerable.

One program that can be broken by the removal of TLS 1.0 is Microsoft RDP version 7.0, (Remote Desktop Protocol).  RDP version 7.0 was released with Windows 7 and Windows Server 2008R2.   RDP 7.0 sp1 used TLS 1.0 by default, RDP 7.0 did not support TLS 1.1 or TLS 1.2.

The TAC Gateway accepts MS RDP communications transported via native RDP transport or with TAC Client Service transport which allows security pre-initiation checks prior to login to the TAC Gateway.

Important:  Before removing TLS 1.0 from the TAC Gateway 2012R2 server, make sure that corporate Windows 7 and Windows Server 2008 destinations will accept TLS 1.1 and/or TLS 1.2.  Please check that Microsoft Security Advisory 3042058 has been applied for compatibility.

https://technet.microsoft.com/library/security/3042058.aspx


On May 12, 2015, Microsoft announced the availability of an update to cryptographic cipher suite prioritization in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2. The update added additional cipher suites to the default list on affected systems and improved cipher suite priority ordering

Important:  Prior to removing TLS 1.0 from the TAC Gateway 2012r2 server, make sure that Windows 7 TAC Gateway Clients have been updated with Microsoft Security Advisory 3080079 to add RDS support for TLS 1.1 and TLS 1.2 in Windows 7 or Windows Server 2008 R2

https://support.microsoft.com/en-us/help/3080079/update-to-add-rds-support-for-tls-1.1-and-tls-1.2-in-windows-7-or-windows-server-2008-r2

This update provides support for Transport Layer Security (TLS) 1.1 and TLS 1.2 in Windows 7 Service Pack 1 (SP1) or Windows Server 2008 R2 SP1 for Remote Desktop Services (RDS).

Remember:   You cannot use TLS 1.2 to connect to a server that is running SQL Server 2014 or SQL Server 2012 until KB 3052404 has been applied.  

https://support.microsoft.com/en-us/help/3135244/tls-1.2-support-for-microsoft-sql-server

https://support.microsoft.com/en-us/help/3052404/fix-you-cannot-use-the-transport-layer-security-protocol-version-1.2-t

The TAC Gateway uses SQL Server 2014.  Make sure that the TAC Gateway SQL Server is updated to at least SQL Server 2014 SP1 CU5, (2/12/16) or SQL Server 2014 SP2.  SQL Server 2104 SP2 includes KB 3052404.

To Remove TLS 1.0 from the PortSys TAC Gateway.

A cipher suite is a set of cryptographic algorithms. The Microsoft Schannel SSP implementation of the TLS/SSL protocols use algorithms from a cipher suite to create keys and encrypt information.  Microsoft Schannel.dll Security Support Provider (SSP) is modified to affect these changes.

Dis-Enabling or Enabling Microsoft Cipher Suites is done with the Regedit UI or via PowerShell.

Remember -  The lack of an entry in Regedit means that the default it used.  To change from the default requires the installation of the key and/or changing its value.

Removing TLS 1.0 from being offered by the TAC Gateway requires TLS 1.0 to be removed from the Windows Server 2012r2 TLS 1.0 key. TAC only requires the server key be disabled to remove TLS 1.0. 

If the TAC Gateway Windows Sever 2012r2 needs to communicate to other servers that require TLS 1.0 as a client, then do not disable the TLS 1.0 suite in the Client key.

Microsoft TLS/SSL Settings

https://technet.microsoft.com/en-us/library/dn786418.aspx#BKMK_SchannelTR_TLS10

(Below are the Microsoft instructions with additional steps lines for clarity)

To disable or modify TLS 1.0

Use Regedit, go to:     

  1. Registry path: HKEY_LOCAL_MACHINE \SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
  2. If there is NOT a folder under Protocols for TLS1.0, Click on New, select Key and label it "TLS 1.0" (with a space between TLS and 1.0)
  3. If there is NOT a folder under TLS 1.0 for Server, Click on New, select Key and label it "Server"
  4. To disable the TLS 1.0 protocol, create an Enabled entry in the appropriate subkey. This entry does not exist in the registry by default. After you have created the entry, change the DWORD value to 0 to disable. To enable the protocol, change the DWORD value to 1.

To disable or modify TLS 1.1

Use Regedit, go to:     

  1. Registry path: HKEY_LOCAL_MACHINE \SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
  2. If there is NOT a folder under Protocols for TLS1.1, Click on New, select Key and label it "TLS 1.1" (with a space between TLS and 1.1)
  3. If there is NOT a folder under TLS 1.1 for Server, Click on New, select Key and label it "Server"
  4. To disable the TLS 1.1 protocol, create an Enabled entry in the appropriate subkey. This entry does not exist in the registry by default. After you have created the entry, change the DWORD value to 0 to disable. To enable the protocol, change the DWORD value to 1.

After changes restart TAC server. 

IMPORTANT: Server restart should be performed in a maintenance as there might be service disruption during reboot. 

For Additional Information:

Cipher Suites in TLS/SSL (Schannel SSP)

https://msdn.microsoft.com/en-us/library/windows/desktop/aa374757(v=vs.85).aspx

Supported Cipher Suites and Protocols in the Schannel SSP

https://technet.microsoft.com/en-us/library/dn786419.aspx

Differences in the Schannel SSP by Operating System Version

https://technet.microsoft.com/en-us/library/dn786433.aspx

Schannel Security Support Provider Technical Reference

https://technet.microsoft.com/en-us/library/dn786425(v=ws.11).aspx

PCI Security Standards Council revises date for migrating off vulnerable SSL and early TLS (1.0) encryption

https://www.pcisecuritystandards.org/pdfs/15_12_18_SSL_Webinar_Press_Release_FINAL_(002).pdf

IIS Crypto  ( This is free tool that is not endorsed by PortSys, Inc.  Follow your corporate policies )

https://www.nartac.com/Products/IISCrypto/