none
WSE16 and TLS 1.2 RRS feed

  • Dotaz

  • After generating a ssllabs report which enlightened me on TLS vulnerabilities, I broke my WSE 2016 a few times trying to resolve the issue via SCHANNEL registry keys.

     

    I have since learned that WSE16 relies on vulnerable TLS protocols which there is nothing I can do about.

     

    My question is, will Windows Server Essentials 2016 receive any updates to address this issue? Or, is there another way to harden my (1 year old) box without breaking WSE core services?

    pátek 8. května 2020 8:21

Odpovědi

  • As you've found... You cannot disable TLS 1.0 in Windows Server Essentials (seeing as doing so breaks all kinds of things in it). In my WSE RemoteApp add-in, I implement a modified version of this wonderful script by Hass Alexander that does all of the hardening offered by his script, but still leaves TLS 1.0 enabled. It's about the best (compromise) you can get with an Essentials server.

    As for Microsoft updating Essentials... The odds of that happening are pretty much slim to none at this point I'm afraid. Essentials is now abandonware. Microsoft has completely given up on all of their on-premises (small business) server stuff seeing as they now want to drive everyone up to the(ir) cloud (Azure services, etc.; and I'd really LOVE to know how that's working out for all those poor GitHub folks right now - Sheesh!). Unless it involves emoji, colorful app icons, dark themes, ninja cats, or other completely worthless crap, Microsoft just doesn't seem to care about it anymore in Windows (Server). Oy

    • Označen jako odpověď Andy_Oxon pátek 8. května 2020 20:24
    • Upravený TheOfficeMaven úterý 12. května 2020 18:38 Clarification
    pátek 8. května 2020 14:58

Všechny reakce

  • As you've found... You cannot disable TLS 1.0 in Windows Server Essentials (seeing as doing so breaks all kinds of things in it). In my WSE RemoteApp add-in, I implement a modified version of this wonderful script by Hass Alexander that does all of the hardening offered by his script, but still leaves TLS 1.0 enabled. It's about the best (compromise) you can get with an Essentials server.

    As for Microsoft updating Essentials... The odds of that happening are pretty much slim to none at this point I'm afraid. Essentials is now abandonware. Microsoft has completely given up on all of their on-premises (small business) server stuff seeing as they now want to drive everyone up to the(ir) cloud (Azure services, etc.; and I'd really LOVE to know how that's working out for all those poor GitHub folks right now - Sheesh!). Unless it involves emoji, colorful app icons, dark themes, ninja cats, or other completely worthless crap, Microsoft just doesn't seem to care about it anymore in Windows (Server). Oy

    • Označen jako odpověď Andy_Oxon pátek 8. května 2020 20:24
    • Upravený TheOfficeMaven úterý 12. května 2020 18:38 Clarification
    pátek 8. května 2020 14:58
  • Perfect! Thank you!!
    pátek 8. května 2020 20:25
  • Just wanted to ad some additional clarification to this one...

    It has been brought to my attention that it may indeed be possible to disable TLS 1.0/1.1, and enable TLS 1.2, on an Essentials server after all. See this post (and all of the comments below it) for further details. All credit (and kudos) goes to Joe Mills.


    • Upravený TheOfficeMaven středa 24. června 2020 21:28 Updated link address
    středa 13. května 2020 15:57
  • Since using Hass Alexander’s script, some websites are blocked due to “TLS issues”. The new link you have provided is one such site.

     

    Therefore, I will have to assume that the information within the link is related to SCHANNEL and .net registry keys. If so, then when I tried this solution, I neglected to add the .net regkeys to the clients also, at which point I started this thread. I have since learned of my mistake.

     

    However, I do find Hass Alexander’s most convenient, with thanks!

    středa 13. května 2020 16:44
  • >>Since using Hass Alexander's script, some websites are blocked due to "TLS issues". The new link you have provided is one such site.<<

    Yes, the latest version of the Hass Alexander script omits some of the AEAD ciphers that are needed for RSA certificates when the script is run under Windows 10/Windows Server 2016 and later. In doing so, some older websites (such as mine) may fail to connect when using the script. You can resolve the issue by simply editing the script to add back in the required ciphers as follows:

    In the script REPLACE:

      Write-Host 'Use cipher suites order for Windows 10/2016 and later.'
      $cipherSuitesOrder = @(
        'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',
        'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256',
        'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384',
        'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256',
        'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA',
        'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA',
        'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384',
        'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256',
        'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384',
        'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256',
        'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA',
        'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA'
      )

    WITH:

      Write-Host 'Use cipher suites order for Windows 10/2016 and later.'
      $cipherSuitesOrder = @(
        'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',
        'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256',
        'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384',
        'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256',
        'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA',
        'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA',
        'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384',
        'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256',
        'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384',
        'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256',
        'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA',
        'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA',
        # Below are the only AEAD ciphers available on Windows 2012R2 and earlier.
        # - RSA certificates need below ciphers, but ECDSA certificates (EV) may not.
        # - We get penalty for not using AEAD suites with RSA certificates.
        'TLS_RSA_WITH_AES_256_GCM_SHA384',
        'TLS_RSA_WITH_AES_128_GCM_SHA256',
        'TLS_RSA_WITH_AES_256_CBC_SHA256',
        'TLS_RSA_WITH_AES_128_CBC_SHA256',
        'TLS_RSA_WITH_AES_256_CBC_SHA',
        'TLS_RSA_WITH_AES_128_CBC_SHA'
      )

    After doing that, run the script again, restart the server, and the issue should now be resolved.
    • Upravený TheOfficeMaven čtvrtek 21. května 2020 21:57 Clarification
    čtvrtek 21. května 2020 18:39
  • FYI, I've just released updates for all of my WSE RemoteApp add-ins (i.e. Version 1.255.1836.0 or greater) that now allow you to easily "Setup IIS for SSL perfect forward secrecy and TLS 1.2", and optionally "Disable TLS 1.0", on your Essentials server. When you choose to disable TLS 1.0, you'll be prompted to download a simple .REG file that can be run on all of your client computers in order to add the required .NET Framework security settings. With TLS 1.2 enabled, and TLS 1.0/1.1 disabled, you'll be able to achieve an A+ grade (as of this writing) on the SSL Labs SSL Server Test site for your Essentials server's built-in Anywhere Access/Remote Web Access website. Enjoy! ;-)
    čtvrtek 21. května 2020 21:51
  • You are very knowledgeable TheOfficeMaven. And, your kindness has been greatly appreciated.

    Thank you very much for your time.

    pátek 22. května 2020 8:51