none
Remote Desktop, MSSQL, and TLS 1.0 and RC4 Ciphers RRS feed

  • Question

  • Currently SSL Labs suggests that the SSL RC4 ciphers are weak, and that to still mitigate the BEAST attack in older clients, TLS 1.0 can be turned off.

    I have read threads that state that MS SQL server had issues when SSL 3.0 and TLS 1.0 were turned off, and also that turning off TLS 1.0 would break Remote Desktop (which this thread seems to state requires TLS 1.0 and RC4 ciphers:  https://msdn.microsoft.com/en-us/library/aa383015%28v=vs.85%29.aspx ) 

    Also see: 

    • https://technet.microsoft.com/en-us/magazine/ff458357.aspx and
    • https://social.technet.microsoft.com/Forums/en-US/e2b22dad-bb0c-4059-beec-6673783ab777/remote-desktop-stopped-working-after-disabling-ssl-20-and-tls-10

    Is there a way to have a Windows Server 2012, which is fully patched, rely on a greater TLS versions than 1.0 and the GCM (or another) cipher for Remote Desktop?  Same question also for MS SQL?

    If the answer is that TLS 1.0 and RC4 must be turned on for Network Layer Authentication in Remote Desktop Services, can you propose a best practice cipher order that would score fairly high on ssl labs?

    Can SSL3.0 and TLS 1.0 be turned off, and still have MS SQL 2012 start (not configured to use SSL connections/sql ssl certificate)?

    Thank you for any input you are able to give.

    Wednesday, January 21, 2015 5:07 PM

Answers

All replies

  • Hi,

    Here are some references below for you:

    SSL Cipher Suite Order best practice

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/5e17d836-39f7-4246-a382-b073d1130079/ssl-cipher-suite-order-best-practice?forum=winserversecurity

    How TLS/SSL Works
    https://technet.microsoft.com/en-us/library/cc783349(v=WS.10).aspx

    Regarding this: Can SSL3.0 and TLS 1.0 be turned off, and still have MS SQL 2012 start

    I would suggest you refer to SQL forum to get professional support:

    https://social.technet.microsoft.com/Forums/sqlserver/en-US/home

    Best Regards,

    Amy


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Saturday, January 24, 2015 12:50 PM
    Moderator
  • Hello,

    we are asked to disable RC4:

    Port: ms-wbt-server (3389/tcp)


    SSL RC4 Cipher Suites Supported

    Synopsis:

    The remote service supports the use of the RC4 cipher.

    Description:

    The remote host supports the use of RC4 in one or more cipher suites.
    The RC4 cipher is flawed in its generation of a pseudo-random stream
    of bytes so that a wide variety of small biases are introduced into
    the stream, decreasing its randomness.

    If plaintext is repeatedly encrypted (e.g., HTTP cookies), and an
    attacker is able to obtain many (i.e., tens of millions) ciphertexts,
    the attacker may be able to derive the plaintext.

    See also:
    http://www.nessus.org/u?217a3666
    http://cr.yp.to/talks/2013.03.12/slides.pdf
    http://www.isg.rhul.ac.uk/tls/
    http://www.imperva.com/docs/HII_Attacking_SSL_when_using_RC4.pdf


    Solution:

    Reconfigure the affected application, if possible, to avoid use of RC4
    ciphers. Consider using TLS 1.2 with AES-GCM suites subject to browser
    and web server support.

    Plugin Output:

    List of RC4 cipher suites supported by the remote server:

    High Strength Ciphers (>= 112-bit key)

    TLSv1
    RC4-MD5 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
    RC4-SHA Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1

    The fields above are:

    {OpenSSL ciphername}
    Kx={key exchange}
    Au={authentication}
    Enc={symmetric encryption method}
    Mac={message authentication code}
    {export flag}



    CVE:
    CVE-2013-2566
    CVE-2015-2808


    BID:
    58796
    73684

    But we don't have any instruction, how to do that is it enough to define in the registry

    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
      "Enabled"=dword:00000000
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
      "Enabled"=dword:00000000
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
      "Enabled"=dword:00000000

      Or how can we solve this issue ?

    Thursday, May 21, 2015 3:59 PM
  • Hi,

    Since this thread has been quiet for a few months, and this is a new question, I would suggest you start a new thread to get more efficient support from the forum community.

    Best Regards,

    Amy


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, May 22, 2015 7:34 AM
    Moderator
  • Currently SSL Labs suggests that the SSL RC4 ciphers are weak, and that to still mitigate the BEAST attack in older clients, TLS 1.0 can be turned off.

    I have read threads that state that MS SQL server had issues when SSL 3.0 and TLS 1.0 were turned off, and also that turning off TLS 1.0 would break Remote Desktop (which this thread seems to state requires TLS 1.0 and RC4 ciphers:  https://msdn.microsoft.com/en-us/library/aa383015%28v=vs.85%29.aspx ) 

    Also see: 

    • https://technet.microsoft.com/en-us/magazine/ff458357.aspx and
    • https://social.technet.microsoft.com/Forums/en-US/e2b22dad-bb0c-4059-beec-6673783ab777/remote-desktop-stopped-working-after-disabling-ssl-20-and-tls-10

    Is there a way to have a Windows Server 2012, which is fully patched, rely on a greater TLS versions than 1.0 and the GCM (or another) cipher for Remote Desktop?  Same question also for MS SQL?

    If the answer is that TLS 1.0 and RC4 must be turned on for Network Layer Authentication in Remote Desktop Services, can you propose a best practice cipher order that would score fairly high on ssl labs?

    Can SSL3.0 and TLS 1.0 be turned off, and still have MS SQL 2012 start (not configured to use SSL connections/sql ssl certificate)?

    Thank you for any input you are able to give.

    So a from my experience, RDP requires TLS 1.0.  I sure hope MS is working on a new version that supports TLS 1.2. 

    For now I would only disable TLS 1.0 on a per element basis.  Disabling RC4 with the suggested registry settings does not seem to work, as a service can still use the cipher. 

    RDP will continue to use RC4 until it's settings are changed. To fix this run tsconfig.msc.  Double click on RDP-Tcp.  Change the Encryption Level to FIPS Compliant.  This should disable RC4-MD5 and RC4-SHA over RDP, which will probably clear the warnings you are receiving.

    Additionally where tsconfig is no longer available you can set:

    \HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\MinEncryptionLevel to 4 which should produce the same results.

    • Proposed as answer by dbiz Friday, May 29, 2015 8:21 PM
    • Edited by dbiz Friday, May 29, 2015 9:02 PM
    Friday, May 29, 2015 8:21 PM