Overview:
Many organizations want, or require the use of, HTTPS to ensure secure communications between web browsers and servers. Security improvements and vulnerabilities have led to the release of updated protocols over the years. For the best security we recommend having the server running Essentials configured to use at least TLS 1.1 for secure communications. For the best security, you may configure TLS 1.2 as the minimum required protocol.
Solution:
All communication between Essentials and users is handled by IIS. IIS uses the cryptographic subsystems of the host operating system to negotiate a secure connection. To configure which protocols will be used by IIS, you must configure the available protocols and ciphers at the OS level.
A third-party tool called IIS Crypto simplifies the process of modifying the server registry and running the commands necessary to enable or disable the various available SSL/TLS protocols. IIS Crypto is available from its vendor here: https://www.nartac.com/Products/IISCrypto/
We recommend using either the Best Practices option or the PCI 3.1 template with IIS Crypto. Best Practices will keep TLS 1.0 enabled and PCI 3.1 will disable it, making TLS 1.1 the minimum requirement. Disabling TLS 1.0 may cause issues for any clients running Windows XP or IE 9 and earlier.
Otherwise, you may follow Microsoft's instructions for configuring the Schannel component: https://support.microsoft.com/en-us/help/245030/how-to-restrict-the-use-of-certain-cryptographic-algorithms-and-protoc. We recommend that you disable SSLv2 and SSLv3 and consider disabling TLS 1.0.
Note: TLS 1.2 requires Windows Server 2008 or later. It is not supported by Windows Server 2003. Furthermore, restricting the available protocols may interfere with client connections that use older browsers such as Windows XP or IE 9 and earlier. Using any recent version of Chrome or Firefox is the best way to ensure a secure connection when using an older or unsupported Microsoft OS.
Note: The cryptography subsystem is used by many components of Windows, including IIS and Remote Desktop. If your server is Windows Server 2008, check that your Remote Desktop service supports TLS 1.1 and 1.2 before disabling TLS 1.0. See https://support.microsoft.com/en-us/help/3080079/update-to-add-rds-support-for-tls-1-1-and-tls-1-2-in-windows-7-or-wind for more information on this functionality.
Many organizations want, or require the use of, HTTPS to ensure secure communications between web browsers and servers. Security improvements and vulnerabilities have led to the release of updated protocols over the years. For the best security we recommend having the server running Essentials configured to use at least TLS 1.1 for secure communications. For the best security, you may configure TLS 1.2 as the minimum required protocol.
Solution:
All communication between Essentials and users is handled by IIS. IIS uses the cryptographic subsystems of the host operating system to negotiate a secure connection. To configure which protocols will be used by IIS, you must configure the available protocols and ciphers at the OS level.
A third-party tool called IIS Crypto simplifies the process of modifying the server registry and running the commands necessary to enable or disable the various available SSL/TLS protocols. IIS Crypto is available from its vendor here: https://www.nartac.com/Products/IISCrypto/
We recommend using either the Best Practices option or the PCI 3.1 template with IIS Crypto. Best Practices will keep TLS 1.0 enabled and PCI 3.1 will disable it, making TLS 1.1 the minimum requirement. Disabling TLS 1.0 may cause issues for any clients running Windows XP or IE 9 and earlier.
Otherwise, you may follow Microsoft's instructions for configuring the Schannel component: https://support.microsoft.com/en-us/help/245030/how-to-restrict-the-use-of-certain-cryptographic-algorithms-and-protoc. We recommend that you disable SSLv2 and SSLv3 and consider disabling TLS 1.0.
Note: TLS 1.2 requires Windows Server 2008 or later. It is not supported by Windows Server 2003. Furthermore, restricting the available protocols may interfere with client connections that use older browsers such as Windows XP or IE 9 and earlier. Using any recent version of Chrome or Firefox is the best way to ensure a secure connection when using an older or unsupported Microsoft OS.
Note: The cryptography subsystem is used by many components of Windows, including IIS and Remote Desktop. If your server is Windows Server 2008, check that your Remote Desktop service supports TLS 1.1 and 1.2 before disabling TLS 1.0. See https://support.microsoft.com/en-us/help/3080079/update-to-add-rds-support-for-tls-1-1-and-tls-1-2-in-windows-7-or-wind for more information on this functionality.
Comments
0 comments
Article is closed for comments.