Quantcast
Channel: Security
Viewing all articles
Browse latest Browse all 1881

IIS 8.5 Management Services and disabling TLS 1.0

$
0
0

Good day, all.

I am currently going through PCI compliance hardening on our web servers, and I am trying to disable TLS 1.0. Before rolling out, I created a test environment. My test configuration is as follows:

Management Host (used to remotely manage other servers) - Server 2012 R2 with RSAT tools installed

IIS Server (various Role Services deployed) - Server 2012 R2. We'll call this WEBSRV.

Due to not having a CA in test, I am using the default SSL certificate. We'll call this MGMTSRV.

WMSVC has been configured properly to allow remote administration of IIS.

OK, with setup out of the way, here are the testing steps.

First I wanted to simply test remote administration of IIS. With the default security protocols enabled (including TLS 1.0, TLS 1.1, and TLS 1.2) on WEBSRV, I can open IIS Manager on MGMTSRV, Select 'Connect to a server...,' enter WEBSRV and my credentials, and I connect just fine. Awesome.

Now, I wanted to disable TLS 1.0 (effectively only allowing TLS 1.1 and TLS 1.2) on WEBSRV. I used IISCrypto to do this for me, which properly configured the TLS 1.0 registry keys for me:

HKLM:\System\CurrentControlSet\Control\SecurityProviders\Protocols\TLS 1.0\Server\ - DisabledByDefault key set to 0x00000001 (true)

HKLM:\System\CurrentControlSet\Control\SecurityProviders\Protocols\TLS 1.0\Server\ - Enabled key set to 0x00000000 (false)

I then performed a reboot of WEBSRV (as required for the new changes). WEBSRV cam back online without issue, i was able to RDP to it. Yay.

However, when attempting to connect to WEBSRV using IIS Manager on MGMTSRV after TLS 1.0 is disabled on WEBSRV, I now receive the following error:

"Could not connect to the specified computer.

Details: The underlying connection was closed: An unexpected error occurred on a send."

This struck me as odd. So, on WEBSRV, i re-enabled TLS 1.0, rebooted, and lo and behold, I was able to remotely connect from MGMTSRV.

I then performed a packet capture from both WEBSRV and MGMTSRV, both with TLS 1.0 enabled, and then disabled. I saw nothing that would indicate an error. In fact, with TLS 1.0 disabled, when I look at the packet capture, I see that the connection is being made using TLS 1.2 anyway (sorry, i know this is ugly)!

MessageNumber    DiagnosisTypes    Timestamp    TimeElapsed    Source    Destination    Module    Summary    records[0].version    
5677    None    2016-03-02T11:19:50.5385547        FE80:0:0:0:65FA:6AB0:8C90:A869    FE80:0:0:0:112C:2237:8CA8:1E08    TLS    Records: [ApplicationData(Encrypted)]    TLS 1.2    

So, now we come to questions:

  1. Has anyone ever tried this and got it working successfully? If so, am i missing a step?
  2. If Server 2012 R2, by default, is communicating with the WMSVC service using TLS 1.2, why would disabling TLS 1.0 cause an issue?
  3. Am I missing some configuration in WMSVC that would force it to use TLS 1.0?
  4. Is there something in IIS Manager that I need to set?

This has had me perplexed for a few days. Especially since, with TLS 1.0 disabled, all other remote management seems to work fine from MGMTSRV (i.e. RDP, Computer Management, Server Manager, Remote PowerShell, etc.).

Any assistance would be greatly appreciated!


Viewing all articles
Browse latest Browse all 1881

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>