cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
dshu
Engaged Sweeper III
Had a quick look on the knowledgebase to see if there was an existing article but a few search terms returned no results.

I'm trying to ascertain if it's OK to harden my Lansweeper web server to no longer use dated ciphers and TLS 1.0 - could someone confirm? I believe disabling TLS 1.0 was causing warranty checking issues a few years back.

Thanks in advance.
8 REPLIES 8
JacobH
Champion Sweeper III
I mean I know that doesn't really answer your question - but I figure if you're concerned with security/TLS , you would be concerned with being on Win2k8 in general...

https://www.lansweeper.com/knowledgebase/move-lansweeper-to-different-server/


JacobH
Champion Sweeper III
can you migrate to a modern windows OS? that's what I would do in your case... LS makes it easy

then you can kill two birds with one stone.
dshu
Engaged Sweeper III
Thanks both for the feedback, I'll get this done today.
dshu
Engaged Sweeper III
dshu wrote:
Thanks both for the feedback, I'll get this done today.


Quick update: this broke our install on a Win Server 2008 R2 deployment, when disabling TLS 1.0 using IIS Crypto to harden the box. I've reeanbled TLS1.0 via IIS Crypto and we can once again access.
JSchlackman
Engaged Sweeper III
I completed this for all servers in our environment recently. I can confirm that disabling TLS 1.0 caused no issues.

If you want to go one step further and also disable TLS 1.1 (we did), you will need to make sure you add the registry settings to tell .NET Framework to use TLS 1.2, as it currently won't do so by default. See this Microsoft documentation for the keys to set (there's even a .reg file example): https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls#for-net-framework-35---452-and-not-wcf
Noobmode
Engaged Sweeper III
JSchlackman wrote:
I completed this for all servers in our environment recently. I can confirm that disabling TLS 1.0 caused no issues.

If you want to go one step further and also disable TLS 1.1 (we did), you will need to make sure you add the registry settings to tell .NET Framework to use TLS 1.2, as it currently won't do so by default. See this Microsoft documentation for the keys to set (there's even a .reg file example): https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls#for-net-framework-35---452-and-not-wcf


I personally found this to be a good resource for the registry keys. Even though it states Exchange, it should work for any .net installation. The page includes 4.X and 3.5 keys

https://blogs.technet.microsoft.com/exchange/2018/04/02/exchange-server-tls-guidance-part-2-enabling-tls-1-2-and-identifying-clients-not-using-it/
JSchlackman
Engaged Sweeper III
Noobmode wrote:

I personally found this to be a good resource for the registry keys. Even though it states Exchange, it should work for any .net installation. The page includes 4.X and 3.5 keys

https://blogs.technet.microsoft.com/exchange/2018/04/02/exchange-server-tls-guidance-part-2-enabling-tls-1-2-and-identifying-clients-not-using-it/


I also used that page at first, but it does not mention the SchUseStrongCrypto key that is needed for some applications to work when you disable TLS 1.1 (Lansweeper included).
Esben_D
Lansweeper Employee
Lansweeper Employee
If you're on version 6.0.230.46 or higher, everything should work with TLS 1.0 disabled.