Good day, all.
I am currently going through PCI compliance hardening on our web servers, and I am trying to disable TLS 1.0. Before rolling out, I created a test environment. My test configuration is as follows:
Management Host (used to remotely manage other servers) - Server 2012 R2 with RSAT tools installed
IIS Server (various Role Services deployed) - Server 2012 R2. We'll call this WEBSRV.
Due to not having a CA in test, I am using the default SSL certificate. We'll call this MGMTSRV.
WMSVC has been configured properly to allow remote administration of IIS.
OK, with setup out of the way, here are the testing steps.
First I wanted to simply test remote administration of IIS. With the default security protocols enabled (including TLS 1.0, TLS 1.1, and TLS 1.2) on WEBSRV, I can open IIS Manager on MGMTSRV, Select 'Connect to a server...,' enter WEBSRV and my credentials, and I connect just fine. Awesome.
Now, I wanted to disable TLS 1.0 (effectively only allowing TLS 1.1 and TLS 1.2) on WEBSRV. I used IISCrypto to do this for me, which properly configured the TLS 1.0 registry keys for me:
HKLM:\System\CurrentControlSet\Control\SecurityProviders\Protocols\TLS 1.0\Server\ - DisabledByDefault key set to 0x00000001 (true)
HKLM:\System\CurrentControlSet\Control\SecurityProviders\Protocols\TLS 1.0\Server\ - Enabled key set to 0x00000000 (false)
I then performed a reboot of WEBSRV (as required for the new changes). WEBSRV cam back online without issue, i was able to RDP to it. Yay.
However, when attempting to connect to WEBSRV using IIS Manager on MGMTSRV after TLS 1.0 is disabled on WEBSRV, I now receive the following error:
"Could not connect to the specified computer.
Details: The underlying connection was closed: An unexpected error occurred on a send."
This struck me as odd. So, on WEBSRV, i re-enabled TLS 1.0, rebooted, and lo and behold, I was able to remotely connect from MGMTSRV.
I then performed a packet capture from both WEBSRV and MGMTSRV, both with TLS 1.0 enabled, and then disabled. I saw nothing that would indicate an error. In fact, with TLS 1.0 disabled, when I look at the packet capture, I see that the connection is being made using TLS 1.2 anyway (sorry, i know this is ugly)!
MessageNumber DiagnosisTypes Timestamp TimeElapsed Source Destination Module Summary records[0].version
5677 None 2016-03-02T11:19:50.5385547 FE80:0:0:0:65FA:6AB0:8C90:A869 FE80:0:0:0:112C:2237:8CA8:1E08 TLS Records: [ApplicationData(Encrypted)] TLS 1.2
So, now we come to questions:
- Has anyone ever tried this and got it working successfully? If so, am i missing a step?
- If Server 2012 R2, by default, is communicating with the WMSVC service using TLS 1.2, why would disabling TLS 1.0 cause an issue?
- Am I missing some configuration in WMSVC that would force it to use TLS 1.0?
- Is there something in IIS Manager that I need to set?
This has had me perplexed for a few days. Especially since, with TLS 1.0 disabled, all other remote management seems to work fine from MGMTSRV (i.e. RDP, Computer Management, Server Manager, Remote PowerShell, etc.).
Any assistance would be greatly appreciated!