IT Nota

How to Enable TLS 1.2 as the Default Security Protocol on Windows Servers

Transport Layer Security (TLS) are cryptographic protocols designed to provide communications security over a computer network, typically between a website and a browser.

TLS 1.0 and its deprecated predecessor, SSL are vulnerable to some well-known security issues such as POODLE and BEAST attacks. According to NIST, these vulnerabilities cannot be fixed or patched, therefore all companies, especially banks and other financial institutions who are notoriously slow in upgrading theirs systems, need to upgrade to a secure alternative as soon as possible, and disable any fallback to both SSL and the older TLS 1.0.

As of 30 June 2018, SSL and TLS 1.0 should be disabled and more secure encryption protocol such as TLS 1.2 (or at the minimum TLS 1.1) is required to meet the PCI Data Security Standard (PCI DSS) for safeguarding payment data.

The next question then how on do we enable TLS 1.2 on Windows Servers? Especially on older servers such as Windows Server 2008 as many companies are not on the latest and greatest operating systems?

This post will address what to look for and how to enable TLS 1.2 as the default protocol for Windows Server 2012 R2 or older.

IMPORTANT: As always and it’s worth repeating, you need to backup your current registry settings before attempting any of these changes on your servers.

Enable TLS 1.2 on Windows Servers 2008 SP2 or later

The blanket statement to enable your TLS 1.2 on your server from Windows Server 2008 SP2 or later. Microsoft provided an update to add support for TLS 1.1 and TLS 1.2 for Windows Server 2008, but it requires Windows Server 2008 SP2 installed.

So just to state the obvious, TLS 1.1 and TLS 1.2 are not supported for 32-bit Windows Server 2008 SP1.

  1. Launch regedit.exe.

  2. In registry, go to:

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

  3. Create a new DWORD entry with a name TLS 1.2 and create another subkey Client and Server.

  4. Under the subkey Server, create another DWORD Enabled with a value of 1.

  5. Still under the subkey Server, create a DWORD DisabledByDefault with a value of 0.

  6. You must create a subkey DisabledByDefault entry in the appropriate subkey (Client, Server) and set the DWORD value to 0 since this entry is set to 1 by default.

    Windows 2008 Standard enabling TLS 1.2

  7. Reboot the server and test.

Enable TLS 1.2 on .NET Framework 3.5 (including 2.0)

.NET Framework 3.5 or earlier did not originally provide support of applications to use TLS System Default Versions as a cryptographic protocol. However, for Windows Server 2012 R2, check if KB3154520 is installed (or KB3154519 for Windows Server 2012; KB3154518 for Windows Server 2008 R2; KB3154517 for Windows Server 2008 SP2).

How to check the KB updates

  1. Right-click on the Windows button and select Programs and Features.

    Windows Server 2012 R2 Programs and Features

  2. On Programs and Features window, click onthe View installed updates on the left pane.

    Windows Server 2012 R2 View installed updates

  3. You will see a list of the updates that you can narrow down or do a very specific search by using the Search Installed Updates box. You can type in the KB number (i.e., “KB3154520”).

    Windows Server 2012 R2 KB3154520 update

  4. If the corresponding KB is already installed, we just need to enable it via registry change. Otherwise, you need to install the patch from either of the links for Windows Server 2012 R2 (or use the same corresponding links above for earlier versions of Windows Server).

Registry Change

  1. Launch regedit.exe.

  2. Go to:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727

  3. Create a new entry SystemDefaultTlsVersions with a DWORD value set to 1.

  4. Create a new entry SchUseStrongCrypto with a DWORD value set to 1.

  5. Go to:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319

  6. Create a new entry SystemDefaultTlsVersions with a DWORD value set to 1.

  7. Create a new entry SchUseStrongCrypto with a DWORD value set to 1.

  8. For 64-bit OS, the same changes also needed for the following locations:

      HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727

  9. Create a new entry SystemDefaultTlsVersions with a DWORD value set to 1.

  10. Create a new entry SchUseStrongCrypto with a DWORD value set to 1.

  11. Go to:

      HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319

  12. Create a new entry SystemDefaultTlsVersions with a DWORD value set to 1.

  13. Create a new entry SchUseStrongCrypto with a DWORD value set to 1.

  14. Test.

Windows Server 2012 R2 TLS default

Enable TLS 1.2 as default for WinHTTP

This may be applicable for any Classic ASP or VB6 applications that use WinHTTP. Prior to Windows 10 and Windows Server 2016, TLS 1.1 or 1.2 is not enabled by default for client-server communications through WinHTTP.

To set TLS 1.2 by default, do the following:

  1. Create a registry entry DefaultSecureProtocols on the following location:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp

  2. Set the DWORD value to 800 for TLS 1.2.

  3. For 64-bit OS, repeat step 1 and 2 on the following location:

      HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp

  4. Reboot the server and test.

Windows Server 2012 R2 DefaultSecureProtocols registry entry

Windows 10 and Windows Server 2016/2019 support TLS 1.2 for client-server communications by using WinHTTP.

Further Reading

Update to enable TLS 1.1 and TLS 1.2 as default secure protocols in WinHTTP in Windows
TLS/SSL Settings
How to enable TLS 1.2 for Configuration Manager
Transport Layer Security (TLS) best practices with the .NET Framework
Support for TLS System Default Versions included in the .NET Framework 2.0 SP2 on Windows Vista SP2 and Server 2008 SP2
Support for TLS System Default Versions included in the .NET Framework 3.5.1 on Windows 7 SP1 and Server 2008 R2 SP1
Support for TLS System Default Versions included in the .NET Framework 3.5 on Windows Server 2012
Support for TLS System Default Versions included in the .NET Framework 3.5 on Windows 8.1 and Windows Server 2012 R2
How to enable TLS 1.2 on the site servers and remote site systems
Use Case Scenario: Known issues connecting SSRS Server 2016 (new) to SQL Server 2008 (old) with TLS

Download

Solving the TLS 1.0 Problem (MS Word document)

How to Create Key Pair Using Kleopatra (GnuPG)

If you need to find a free solution to encrypt file or email, Gpg4win (GNU Privacy Guard for Windows) may be more than enough encryption than what you need. It is a free software and pretty straightforward to install. Before you can use it though, you need to create a key pair first and this may be confusing to beginners. Here are the steps to generate a key pair in GPG4Win Kleopatra:

  1. Launch Kleopatra and click on New Key Pair.

    Kleopatra creating new key pair

  2. Type in your name and email. Although it’s optional it’s important that you fill that in as your email will be used as the identity to verify your signature.

    Click on the Advanced Settings….

    Kleopatra key pair creation wizard

  3. Select ECDSA/EdDSA. For starters you can leave the defaults, then click OK.

  4. There’s a whole range of debates between using RSA vs ECDSA and you can check some of the included links at the bottom of this post. The short version is, use ECDSA when you can, use RSA if you have concern with compatibility.

    Kleopatra key pair creation advanced settings

  5. Click on the Next button, then click-on Create.

    Kleopatra key pair creation review parameters

  6. On the next windows, you’ll be asked to type in a passphrase. Don’t leave this blank. Use a good passphrase by checking the quality bar as your guide. Then click OK.

    Kleopatra set passphrase for key pair creation

  7. When a key pair successfully created, you will see the following window with your Fingerprint. Make sure you Make a Backup Of Your Key Pair before clicking Finish.

    Kleopatra key pair successfully created

Once this process completed, you can export your public key and give it to anyone who needs to send you an encrypted message or file and you’re ready to communicate securely.

Download

Gpg4win

Further Reading

ECDSA: The digital signature algorithm of a better internet
SSH key-type, RSA, DSA, ECDSA. Which to choose?

Live Cyber Attacks Map

A live cyber attacks map from various companies may give you a different outlook on Internet security.

Fire Eye Cyber Threat Map
Fire Eye Cyber Threat Map

No longer available

The explanation from Norse Security’s website:
“Every second, Norse collects and analyzes live threat intelligence from darknets in hundreds of locations in over 40 countries. The attacks shown are based on a small subset of live flows against the Norse honeypot infrastructure, representing actual worldwide cyber attacks by bad actors. At a glance, one can see which countries are aggressors or targets at the moment, using which type of attacks (services-ports).”

Click on the image below to see live cyber security attacks right now. At this point, the live map only supports Chrome browser.

Cyber Attack Map Norse Security

Heartbleed Bug, What You Need to Do

Patched heartbleed bug For the past two years (since March 2012), millions of websites may have been leaking sensitive data due to a major flaw in the OpenSSL software that are used to encrypt and transmit Internet data.

The Heartbleed bug as called by the researchers who discovered it, would enable hackers to obtain a compromised site’s encryption keys, which makes all passing data basically available for them to see. What makes it worse is that this type of attack would leave no trace. Considering so many websites used the affected versions of OpenSSL, the potential damage could be serious.

The good news is as this security flaw was discovered, many major companies are already patching their websites.

Affected Sites

  • Yahoo
  • Google
  • Facebook
  • Dropbox
  • Amazon
  • Intuit (TurboTax)
  • Many others…

For any other sites not listed, check their vulnerabilities by using this LastPass Heartbleed checker.

What You Need to Do

Until the affected websites fixed the vulnerabilities, you can’t do much because you could very well be handing over your new password to an undetected hacker. But once they patched their OpenSSL, you need to change your password right away. At this point the sites mentioned above have already patched their sites, so it’s safe to change your password.

If you have a habit to use the same password for all your online accounts, then you need to change your password even for all sites, because your password is already compromised from the affected services. Hackers can still use that same password to gain entry to your account for the unaffected websites.

Don’t Use the Same Password for Multiple Websites

It bears repeating with this latest discovery that it’s never a good idea to use the same password for multiple accounts. Even if you didn’t want to use a unique password for each online account you own, at the very least do so in a group. So use one password for critical sites such as your online banking and tax, another one for emails, a different one for other less important sites. Make sure you also follow these safety tips for social media.

Further Reading

Here’s What You Need to Know About the ‘Heartbleed’ Bug That’s Attacking Millions of Websites
What Should You Do About the Heartbleed Security Flaw?
The Heartbleed Aftermath Drags On: What Passwords You Need to Change Now
Not just websites hit by OpenSSL’s Heartbleed – PCs, phones and more under threat
Difficulty of Detecting OpenSSL Heartbleed Attacks Adds to Problem

How to Activate Google 2-Step Verification

With a huge increase in email accounts getting hacked, you need more than just a strong password to protect them. Fortunately for Gmail users, Google provides a “2-step verification” that will tell you by either sending a text message to your registered cell phone if someone tries to gain access to your email. This feature has been out for a while but many people are still not aware about it.

Google 2-Step Verification is actually very easy to setup and doesn’t take too much of your time, you just need to link your Gmail account to your cell phone. Just follow these steps below to activate it:

1. Login to your Gmail and on the top right-hand corner, click on the little arrow next to your name and select Account link.
Gmail Account Setting

2. On the Accounts page, click on Security.

Gmail Accounts Tab

Accounts Tab

3. You will see your 2-step verification status. Click on the Edit button.

Gmail 2-Step Verification Screen

Security Tab

4. And you will see the splash screen to Start the setup. Click on the blue Start setup » button.

Gmail Verification Start Setup Screen

Start Setup Screen

5. Enter your cell phone number in the textbox and click on Send code button. You will receive a 6-digit verification code within a few minutes. If you’re outside the U.S., make sure you select your country of residence by clicking on the drop-down arrow next to the flag icon in the same textbox with the phone number.

Setup Phone Screen

Setup Phone Screen

6. Enter the code you receive from your cell phone into the Enter verification code box and click Verify.

Enter Verification Code Screen

Verify Phone Number

7. You can either check the Trust this computer box or not. Since I’m using a home computer, I want to trust my computer. Don’t check it if you login from a public or shared computer. Click Next » button.

Trust this Computer Screen

Trust this Computer

8. Once you click Confirm button, your 2-step verification should be activated now.

You will see a notice 2-step verification has been turned on for this account on the top part of your Gmail screen. You should also receive an email confirmation about your 2-step verification.

Please remember, virtually there is nothing that cannot be hacked, but at the very least by activating this verification, your Google account should be more secure than if it was only protected by a password.

Recent Posts

Tags

.NET .NET Core AdSense ASP.NET Cdonts Dll Classic ASP Code Editor ETL FSharp Genesis Framework Git Google HP Asset Manager HTML5 Hugo IIS Information Security Internet Internet Information Services iOS JAMStack Linux macOS Microsoft Microsoft SQL Server MVC PHP PowerShell Python Simple Mail Transfer Protocol Smtp Server SQL SQL Server SSIS SSMS SSRS Sublime Text Visual Studio Visual Studio Code VPN Windows Windows 8 Windows 10 Windows 2012 Windows Server