Daniel Booker
asked on
SBS 2011 PCI compliance
What we have is an SBS 2011 SP1 and exchange 2010 SP3. (Also i'm testing this all on a test server right now)
We are trying to be compliant with PCI and using a scan from trustwave to determine if we are. So i found this nifty tool from https://www.nartac.com/Products/IISCrypto/ called IISCrypto40 which basically does all the disabling and registry changes that need by selecting what i want. So i click PCI and it left a box checked fro TLS 1.0. So I uncheck the box for TLS 1.0 and basically exchange stops and I knew this before i clicked it that remote desktop stopped working as well. Well RDP is not a big deal i have other tools i can use to remotely log onto the server.
So back to the main problem PCI compliance and disabling TLS 1.0 to become compliant seems to break exchange (Well at least OWA and remote connections from my smart phones so IIS problem). What do I need to do in order to use TLS 1.1 or TLS 1.2 for OWA and remote connections to work?
We are trying to be compliant with PCI and using a scan from trustwave to determine if we are. So i found this nifty tool from https://www.nartac.com/Products/IISCrypto/ called IISCrypto40 which basically does all the disabling and registry changes that need by selecting what i want. So i click PCI and it left a box checked fro TLS 1.0. So I uncheck the box for TLS 1.0 and basically exchange stops and I knew this before i clicked it that remote desktop stopped working as well. Well RDP is not a big deal i have other tools i can use to remotely log onto the server.
So back to the main problem PCI compliance and disabling TLS 1.0 to become compliant seems to break exchange (Well at least OWA and remote connections from my smart phones so IIS problem). What do I need to do in order to use TLS 1.1 or TLS 1.2 for OWA and remote connections to work?
I would.not expect that you would need.to disable TLS 1.0 for PCI. Disable SSL 3 for sure.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
So my question is why do you feel you need have it comply? Are you running the company's public website on the SBS box and collecting and storing electronic payment information?
ASKER
Everything not working perfectly :( . OWA seems to partially work and phones do not seem to function correctly with TLS 1.0 disabled. I'm trying to run some server updates on the live server to get it current and i'll see where I stand. Thank you btan for all the articles and explanations.
@btan
I have not tried, but do you think with the weak ciphers removed I could probably enable TLS 1.0 and pass the security scan.
@Cris Hanna
The reason I have to comply is, because the user has to have a passed security scan in order to start using credit cards transactions from government people they are dealing with.
@btan
I have not tried, but do you think with the weak ciphers removed I could probably enable TLS 1.0 and pass the security scan.
@Cris Hanna
The reason I have to comply is, because the user has to have a passed security scan in order to start using credit cards transactions from government people they are dealing with.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Both had A- @ 90% but with TLS 1.0 enabled it popped up a bunch of Fails (Protocol or cipher suite mismatch) against smart phones and browsers.
also test the browser (with url a/m) and the test list out the supported tls too. if both side are in sync, then i see it more of the OWA (instead of browser) app triggering such alert. of course will be good to disable tls1.0.
ASKER
What do you mean "(with url a/m)".
With TLS 1.0 disabled i do not get any fails running against SSLLabs. The problems that run into with IE 11 logs into OWA but when you go to delete/move a message with it on the preview and (not double click the message to open up) you try to delete it pops a mesasge. It seems like you can do everything else though.
Get same error in Chrome too.
OWAerror.jpg
With TLS 1.0 disabled i do not get any fails running against SSLLabs. The problems that run into with IE 11 logs into OWA but when you go to delete/move a message with it on the preview and (not double click the message to open up) you try to delete it pops a mesasge. It seems like you can do everything else though.
Get same error in Chrome too.
OWAerror.jpg
ASKER
I noticed that error does not happen/pop up when I do not have their domain added to the compatibility list. I added their domain to the compatibility list because i did not want to use OWA light.
can test your browser as well via
https://www.ssllabs.com/ssltest/viewMyClient.html
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you btan.
I think with all the information you have given me and what I've learned I can go about coming up with a better solution for the customer now.
Most of the problem now is they are not fully patched. They are just sitting on SP3 for exchange with no CU rollups, which should resolve the owa issues once applied.
After we are compliant I will go back and try to see if I can get away with enabling TLS 1.0
I think with all the information you have given me and what I've learned I can go about coming up with a better solution for the customer now.
Most of the problem now is they are not fully patched. They are just sitting on SP3 for exchange with no CU rollups, which should resolve the owa issues once applied.
After we are compliant I will go back and try to see if I can get away with enabling TLS 1.0
thanks for sharing!
Btan along with everyone's response is appreciated, however still very confused. Our SBS2011 server is updated (including Exchange to the latest SP3 RU9) and had used the Nartac util. Problem is when TLS1.0 is deselected in the utility, nothing works - mail, RDP/RWW, even Sharepoint/SQL doesn't start up. i don't have a problem with doing a little work to get answers, but it seems like every forum sends me off on a wild goose chase. Has anyone come across a simpler way to get this through? Maybe a step by step process specifically for SBS2011 servers?
I plan to install SBS2011 on a test system to see if I can get it working because the Prod system can't be rebooted all the time.
I plan to install SBS2011 on a test system to see if I can get it working because the Prod system can't be rebooted all the time.
For exchange, most ppl disable tls1.0 does not have it working, better to enable it for the time being. no easier means other than enabling first - note that win2008R2 and above are the only build with tls1.1 and tls1.2 http://blogs.msdn.com/b/kaushal/archive/2011/10/02/support-for-ssl-tls-protocols-on-windows.aspx
ASKER