Transport Layer Security (TLS) is a cryptographic protocol designed to provide secure communication between web browsers and servers. It is used in almost every app nowadays. Many IP-based protocols such as HTTPS, SMTP, POP3, and FTP support TLS.
The most widely used versions of TLS nowadays are TLS 1.0, TLS 1.1, and TLS 1.2. While TLS 1.0 & TLS 1.1 are known to be very vulnerable, the TLS 1.2 protocol is considered to be much more secure and is thus recommended for use. Furthermore, In October 2018, Apple, Google, Microsoft & Mozilla (responsible for Chrome, Edge, IE, Firefox, and Safari browsers) announced that by the first half of 2020, TLS 1.0 & 1.1 will be disabled by them.
IIS hardening can be a painful procedure. If you’re reading this article, you probably already know it. Endless hours, labor, and money are invested in this process, which can often result in production breakdown despite the effort to prevent it. CHS by CalCom automates the entire server hardening process. CHS’s unique ability to ‘learn’ your network eliminates the need to perform lab testing while ensuring zero outages to your production environment. CHS will allow you to implement your policy directly on your production servers, hassle-free.
In this article you’ll learn:
- The potential vulnerability in having enabled TLS 1.0
- How to mitigate this vulnerability
- The potential impact of mitigating it on your network’s function
- The severity of the vulnerability
- What we recommend to do
- A practical guide on how to configure this setting in the most secure fashion
Regulatory requirements and new security vulnerabilities on TLS 1.0 are leading organizations to disable TLS 1.0 across their IIS infrastructure. While it is no longer the default security protocol in modern OSes, it is in more veteran versions (Windows 7 and older). Therefore, removing TLS 1.0 is a complicated issue due to its dependencies.
While exposing your organizations to several vulnerabilities, one of the most critical is a man-in-the-middle attack. This attack risks the integrity and the authentication of data sent between a website and a browser. TLS 1.0 is also responsible for other prevalent TLS vulnerabilities including Heartbleed, POODLE, BEAST, and CRIME.
Dependencies on all security protocols older than TLS 1.2 be removed. TLS 1.0 must be disabled.
Considering the fact that TLS 1.0 has been here for so long, it is highly recommended that its removal process will include the following procedures:
- Find and fix hardcoded instances of TLS 1.0.
- Scan and analyze end point’s traffic to identify OS using TLS 1.0.
- Test your entire application stack with TLS 1.0 disabled.
- Migrate legacy OSes and develop frameworks to versions capable of negotiating TLS 1.2.
- Test your OSes to identify any TLS 1.2 support issues.
- Notify and coordinate with your business partners your plans to neglect TLS 1.0.
- Map the clients that may no longer be able to connect your servers once you disable TLS 1.0.
|Windows Server 2008||Default|
|Windows 7 (WS2008 RS)||Default|
|Windows 8 (WS2012)||Enabled|
|Windows 8.1 (WS2012 RS)||Enabled|
|Windows Server 2016||Enabled|
CALCOM’S RECOMMENDED VALUE:
Disable TLS 1.0 in all OSes.
HOW TO DISABLE TLS 1.0:
Registry path: HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
TLS 1.0 subkey table:
|Client||Controls the use of TLS 1.0 on the TLS client.|
|Server||Controls the use of TLS 1.0 on the TLS server.|
To disable TLS 1.0 for client or server, change the DWORD value to 0. If an SSPI app requests to use TLS 1.0, it will be denied.
To disable TLS 1.0 by default, create a DisabledByDefault entry and change the DWORD value to 1. If an SSPI app explicitly requests to use TLS 1.0, it may be negotiated.