By Keren Pollack, on June 18th, 2020

Transport Layer Security (TLS) is a cryptographic protocol designed to provide secure communication between web browsers and servers. It is used in almost every app nowadays. Many IP-based protocols such as HTTPS, SMTP, POP3, and FTP support TLS.

 

The most widely used versions of TLS nowadays are TLS 1.0, TLS 1.1, and TLS 1.2. While TLS 1.0 & TLS 1.1 are known to be very vulnerable, the TLS 1.2 protocol is considered to be much more secure and is thus recommended for use. Furthermore, In October 2018, Apple, Google, Microsoft & Mozilla (responsible for Chrome, Edge, IE, Firefox, and Safari browsers) announced that by the first half of 2020, TLS 1.0 & 1.1 will be disabled by them.

 

POLICY DESCRIPTION:

Regulatory requirements and new security vulnerabilities on TLS 1.0 are leading organizations to disable TLS 1.0 across their IIS infrastructure. While it is no longer the default security protocol in modern OSes, it is in more veteran versions (Windows 7 and older). Therefore, removing TLS 1.0 is a complicated issue due to its dependencies.

Leaving TLS 1.2 and moving to TLS 1.3

POTENTIAL VULNERABILITY:

While exposing your organizations to several vulnerabilities, one of the most critical is a man-in-the-middle attack. This attack risks the integrity and the authentication of data sent between a website and a browser. TLS 1.0 is also responsible for other prevalent TLS vulnerabilities including Heartbleed, POODLE, BEAST, and CRIME.

 

COUNTERMEASURES:

Dependencies on all security protocols older than TLS 1.2 be removed. TLS 1.0 must be disabled.

 

POTENTIAL IMPACT:

Considering the fact that TLS 1.0 has been here for so long, it is highly recommended that its removal process will include the following procedures:

  1. Find and fix hardcoded instances of TLS 1.0.
  2. Scan and analyze end point’s traffic to identify OS using TLS 1.0.
  3. Test your entire application stack with TLS 1.0 disabled.
  4. Migrate legacy OSes and develop frameworks to versions capable of negotiating TLS 1.2.
  5. Test your OSes to identify any TLS 1.2 support issues.
  6. Notify and coordinate with your business partners your plans to neglect TLS 1.0.
  7. Map the clients that may no longer be able to connect your servers once you disable TLS 1.0.

 

SEVERITY:

Critical

 

DEFAULT VALUE:

Windows OS Value
Windows Vista Default
Windows Server 2008 Default
Windows 7 (WS2008 RS) Default
Windows 8 (WS2012) Enabled
Windows 8.1 (WS2012 RS) Enabled
Windows 10 Enabled
Windows Server 2016 Enabled

 

CALCOM’S RECOMMENDED VALUE:

Disable TLS 1.0 in all OSes.

Hardening IIS server guide

HOW TO DISABLE TLS 1.0:

Registry path: HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

TLS 1.0 subkey table:

 

Subkey
Description
Client Controls the use of TLS 1.0 on the TLS client.
Server Controls the use of TLS 1.0 on the TLS server.

 

To disable TLS 1.0 for client or server, change the DWORD value to 0. If an SSPI app requests to use TLS 1.0, it will be denied.

To disable TLS 1.0 by default, create a DisabledByDefault entry and change the DWORD value to 1. If an SSPI app explicitly requests to use TLS 1.0, it may be negotiated.

 

AUTOMATE IIS SERVER HARDENING:

Server hardening can be a painful procedure. If you’re reading this article, you probably already know it. Endless hours, labor, and money are invested in this process, which can often result in production breakdown despite the effort to prevent it. CSH by CalCom is automating the entire server hardening process. CHS’s unique ability to ‘learn’ your network abolishes the need to perform lab testing while ensuring zero outages to your production environment. CHS will allow you to implement your policy directly on your production hassle-free. want to know more?

Click here and get the datasheet.