Mark Minasi's Tech Forum
Register Calendar Latest Topics
 
 
 


Reply
  Author   Comment  
cspanburgh

Avatar / Picture

Senior Member
Registered:
Posts: 219
Reply with quote  #1 

Stand by for breaking news.  Well, for those who are not covered by NDA, they are talking about it already.

What I can say, from my NDA covered meetings is that it would be a good time to check to see if your apps and IIS servers can do TLS 1.2.

The lowest Microsoft Server OS is Win 2008 SP2.

There are two reg hacks that I'm told you can try to use to make the changes but from my meeting it seems that they may not work.

One quote: 1.0 and 1.1 are extremely "Hackable".  We are all sensitive after the credit company's major hack.  

TLS 1.3 is being worked on now so I would not limit myself to allowing only 1.2 in the firewall.

Anyway, have any of you taken action on this or know of details yet?

 


__________________
Curt Spanburgh
0
cj_berlin

Avatar / Picture

Senior Member
Registered:
Posts: 244
Reply with quote  #2 
Curt,

I have a lot of customers who started phasing out TLS 1.1 and below like five years ago. With a varying success rate, it seems.

Part of the problem is, even on a Windows system, it's not only IIS that uses transport encryption. Ages old Tomcat instances, legacy third party mail servers, you name it and it's there. All use the same authentication mechanisms so, while securing IIS / Windows SChannel is the most important first step, it by no means is the final one.

__________________
Evgenij Smirnov

My personal blog (German): http://www.it-pro-berlin.de/
My stuff on PSGallery: https://www.powershellgallery.com/profiles/it-pro-berlin.de/
0
cspanburgh

Avatar / Picture

Senior Member
Registered:
Posts: 219
Reply with quote  #3 
Agreed my friend, but not many people are aware of this.   

They have to dust off the old OSI model and get the layers and protocols in their heads, instead of buying a security product off the shelf.


__________________
Curt Spanburgh
0
Pat Richard

Avatar / Picture

Still Checking the Forum Out
Registered:
Posts: 2
Reply with quote  #4 
You need to figure out what impact disabling different TLS protocols will have on the applications on those servers. Skype for Business, for one, has known issues.
0
dennis-360ict

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 58
Reply with quote  #5 
One way to lessen the impact is to use a loadbalancer.

We use kemp loadbalancers, they deliver appliances, bare metal, azure and VMs. it's not cheap but also not that expensive compared to all the man hours it takes to rewrite the apps. They even have a free loadblancer that is limited in bandwith but will suffice as most old apps are just there for legacy reasons. It gives you all the flexibility u need, turning on/off encryption methods, ciphers, etc. We found it's very easy to get an A+ rating on ssllabs.com with kemp in between that old stuff and the evil internet.

Im extremely happy with kemp, we've started a reseller channel and certified employees as it gives us lots of easy solutions in the field. If you get the basics, its an easy webbased interface. We started with one for just one goal and we started using it for everything else and have 8 running now, mostly because of licensing reasons.

__________________
-----
Home is where is sleep
0
jsclmedave

Administrator
Registered:
Posts: 446
Reply with quote  #6 
Quote:
Originally Posted by Pat Richard
You need to figure out what impact disabling different TLS protocols will have on the applications on those servers. Skype for Business, for one, has known issues.


SolarWinds WPM Application requires both 1.0 & 1.1...

As an example...

__________________
Tim Bolton @jsclmedave
Email: [string](0..20|%{[char][int](32+('527377347976847978324785847679797514357977').substring(($_*2),2))}) -replace ' '  

New to the forum? Please Read this
0
jadgate

Avatar / Picture

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 29
Reply with quote  #7 
TS Remote Sesktop r using an insecure Fflav of TLS as well. Good luck get that updated [smile]

Jim

__________________
Jim Adgate
IT Security guy concerned about vendor IT security risk management and other such stuff.....
0
cspanburgh

Avatar / Picture

Senior Member
Registered:
Posts: 219
Reply with quote  #8 
Wow, that is a real problem right there.

thanks.

__________________
Curt Spanburgh
0
dennis-360ict

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 58
Reply with quote  #9 
Aarrghh.. i posted "only" instead of "one".. that looks quite different. I only wanted to offer options, but starting with "only" makes the whole post quite different. Ive edited it, sorry!
__________________
-----
Home is where is sleep
0
Previous Topic | Next Topic
Print
Reply

Quick Navigation:

Easily create a Forum Website with Website Toolbox.