Can TLS 1.0 and older ciphers be disabled on web server?

dshu · ‎04-15-2019

Had a quick look on the knowledgebase to see if there was an existing article but a few search terms returned no results.

I'm trying to ascertain if it's OK to harden my Lansweeper web server to no longer use dated ciphers and TLS 1.0 - could someone confirm? I believe disabling TLS 1.0 was causing warranty checking issues a few years back.

Thanks in advance.

JacobH · ‎04-16-2019

I mean I know that doesn't really answer your question - but I figure if you're concerned with security/TLS , you would be concerned with being on Win2k8 in general...

https://www.lansweeper.com/knowledgebase/move-lansweeper-to-different-server/

JacobH · ‎04-16-2019

can you migrate to a modern windows OS? that's what I would do in your case... LS makes it easy

then you can kill two birds with one stone.

dshu · ‎04-16-2019

Thanks both for the feedback, I'll get this done today.

dshu · ‎04-16-2019

dshu wrote:
Thanks both for the feedback, I'll get this done today.

Quick update: this broke our install on a Win Server 2008 R2 deployment, when disabling TLS 1.0 using IIS Crypto to harden the box. I've reeanbled TLS1.0 via IIS Crypto and we can once again access.

JSchlackman · ‎04-15-2019

I completed this for all servers in our environment recently. I can confirm that disabling TLS 1.0 caused no issues.

If you want to go one step further and also disable TLS 1.1 (we did), you will need to make sure you add the registry settings to tell .NET Framework to use TLS 1.2, as it currently won't do so by default. See this Microsoft documentation for the keys to set (there's even a .reg file example): https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls#for-net-framework-35---452-and-not-wcf

Noobmode · ‎04-18-2019

JSchlackman wrote:
I completed this for all servers in our environment recently. I can confirm that disabling TLS 1.0 caused no issues.

If you want to go one step further and also disable TLS 1.1 (we did), you will need to make sure you add the registry settings to tell .NET Framework to use TLS 1.2, as it currently won't do so by default. See this Microsoft documentation for the keys to set (there's even a .reg file example): https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls#for-net-framework-35---452-and-not-wcf

I personally found this to be a good resource for the registry keys. Even though it states Exchange, it should work for any .net installation. The page includes 4.X and 3.5 keys

https://blogs.technet.microsoft.com/exchange/2018/04/02/exchange-server-tls-guidance-part-2-enabling-tls-1-2-and-identifying-clients-not-using-it/

JSchlackman · ‎04-19-2019

Noobmode wrote:

I personally found this to be a good resource for the registry keys. Even though it states Exchange, it should work for any .net installation. The page includes 4.X and 3.5 keys

https://blogs.technet.microsoft.com/exchange/2018/04/02/exchange-server-tls-guidance-part-2-enabling-tls-1-2-and-identifying-clients-not-using-it/

I also used that page at first, but it does not mention the SchUseStrongCrypto key that is needed for some applications to work when you disable TLS 1.1 (Lansweeper included).

Esben_D · ‎04-15-2019

If you're on version 6.0.230.46 or higher, everything should work with TLS 1.0 disabled.

Can TLS 1.0 and older ciphers be disabled on web server?

New to Lansweeper?

Try Lansweeper For Free