SBS 2011 PCI compliance

What we have is an SBS 2011 SP1 and exchange 2010 SP3. (Also i'm testing this all on a test server right now)

We are trying to be compliant with PCI and using a scan from trustwave to determine if we are. So i found this nifty tool from https://www.nartac.com/Products/IISCrypto/ called IISCrypto40 which basically does all the disabling and registry changes that need by selecting what i want. So i click PCI and it left a box checked fro TLS 1.0. So I uncheck the box for TLS 1.0 and basically exchange stops and I knew this before i clicked it that remote desktop stopped working as well. Well RDP is not a big deal i have other tools i can use to remotely log onto the server.
So back to the main problem PCI compliance and disabling TLS 1.0 to become compliant seems to break exchange (Well at least OWA and remote connections from my smart phones so IIS problem). What do I need to do in order to use TLS 1.1 or TLS 1.2 for OWA and remote connections to work?
LVL 1
easyworksAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

easyworksAuthor Commented:
Hmmm, maybe I messed up before when I was running the tool above it looks like it is working properly now with TLS 1.0 disabled. I rolled the server back from an image I made right before making registry changes and ran the tool and looks like everything is working properly now. I'll try running another trustwave scan.
0
kevinhsiehCommented:
I would.not expect that you would need.to disable TLS 1.0 for PCI. Disable SSL 3 for sure.
0
btanExec ConsultantCommented:
TLS 1.0 is on notice as of PCI DSS 3.1 (v3.0 will be retired on 30 June 2015) >> pdf PCI DSS 3.1 updates requirements 2.2.3, 2.3 and 4.1 to remove SSL and early(1)
TLS as examples of strong cryptography. with (1) stating "TLS version 1.0 and in some cases 1.1...". The "safest" (though not impenetrable) TLS as per now is still TLS1.2 (and upcoming v1.3 and going into be in the Qualys SSL La test). As of now, SSL Lab test see likewise in TLS1.0 as weak - primarily started off from Poodle vul).

Coming back to Exchange, good to take the cautious approach to take snapshot (starting from good initial working state) and esp to backup the HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\schannel registry key, as that is where IIS Crypto make significant changes. Server need to be restarted after the tool make changes. The forume eventually has many view and many eventually leave tls1.0 for Exchange 2010, in order to  have OWA working.
've had a similar problem trying to get PCI compliant with Exchange 2010 and a TMG server. As soon as we turned off SSLv3 and TLS 1.0 Owa broke. We recreated certs from an internal CA on a DC and ended up scrapping the sslv3 and tls 1.0 changes. Iphones don't get mail unless one of these are turned on. I hope we don't need to upgrade to Exchange 2013 just to be PCI compliant when we are behind a proxy
http://community.spiceworks.com/topic/608560-exchange-2010-poodle-and-security?page=2

There is also issue resolved with Update Rollup 9 for Microsoft Exchange Server 2010 Service Pack 3 (SP3) https://support.microsoft.com/en-us/kb/3030085

Remote VPN uses SSL VPN and likely need more testing as well. Probably to focus on Exchange to get it working first. Other has this guidance for info
How do I know where my business is using SSL/TLS and if so, which version?
SSL/TLS is the most widely deployed encryption protocol. It is used in almost every application to ensure confidentiality whenever we need to transmit sensitive or secret information across an insecure medium (such as transmitting your password or other sensitive personal information over a network or the Internet.)

The most common use of SSL/TLS is to secure websites (HTTPS), though it is also used to:

-Secure email in transit (SMTPS or SMTP with STARTTLS, IMAPS or IMAP with STARTTLS)
Share files (FTPS)
-Secure connections to remote databases and secure remote network logins (SSL VPN)

You can identify which SSL/TLS versions are enabled in your business by contacting the vendors for each of the functionalities above.
https://www.pcicomplianceguide.org/pci-dss-v3-1-and-ssl-what-you-should-do-now/
0
Acronis Data Cloud 7.8 Enhances Cyber Protection

A closer look at five essential enhancements that benefit end-users and help MSPs take their cloud data protection business further.

btanExec ConsultantCommented:
This another useful post but to sum up it need to balance up as well since client itself can face issue connecting to a "upgraded" server
it would best to disable SSL 2.0/3.0, TLS 1.0/1.1 on the server and forget about any browsers, operating systems and software that can’t handle it. But that’s not that easily done you’ll need Outlook 2013 for RPC over HTTP if you want to enforce TLS 1.2.
http://blog.workinghardinit.work/2014/04/22/ssl-certs-and-achieving-a-level-security-with-older-windows-versions/

Seems like TLS1.0 enabled is a safer for functionality though not secure (already) ... maybe avoid the exchange segment subjected to PCI scoping
 
And in the RDP context, this is what MS advise in the forum
Disabling TLS 1.0 will break RDP under default settings.  Did the security scan say specifically to disable TLS 1.0?  Normally you should be able to disable use of certain ciphers or prioritize ciphers.  You may want to try IISCrypto, on it you click the PCI button, then Apply button, then restart your server.

Additionally there are still a substantial number of web browsers in use that do not support TLS 1.1/1.2.

If you would like to continue with TLS 1.0 disabled you may change the RDP Security Layer.  To do this please open Terminal Services Configuration (tsconfig.msc), double-click RDP-Tcp, change Security Layer to RDP Security Layer.

IMPORTANT:  You are vulnerable to MITM attack when using RDP Security Layer because there is no Server Authentication.  If you are running RDP over a VPN connection and there is no risk for interception then this may be okay.  I recommend you re-enable TLS 1.0 and have a ssl certificate from a public authority set on your RDP-Tcp listener.
https://social.technet.microsoft.com/Forums/en-US/e2b22dad-bb0c-4059-beec-6673783ab777/remote-desktop-stopped-working-after-disabling-ssl-20-and-tls-10

And also RC4 is to be disabled as well - see
Clients and Servers that do not wish to use RC4 ciphersuites, regardless of the other party's supported ciphers, can disable the use of RC4 cipher suites completely by setting the following registry keys. In this manner any server or client that is talking to a client or server that must use RC4, can prevent a connection from happening. Clients that deploy this setting will not be able to connect to sites that require RC4 while servers that deploy this setting will not be able to service clients that must use RC4.
http://blogs.technet.com/b/srd/archive/2013/11/12/security-advisory-2868725-recommendation-to-disable-rc4.aspx
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Cris HannaSr IT Support EngineerCommented:
So my question is why do you feel you need have it comply? Are you running the company's public website on the SBS box and collecting and storing electronic payment information?
0
easyworksAuthor Commented:
Everything not working perfectly :( . OWA seems to partially work and phones do not seem to function correctly with TLS 1.0 disabled. I'm trying to run some server updates on the live server to get it current and i'll see where I stand. Thank you btan for all the articles and explanations.

@btan
I have not tried, but do you think with the weak ciphers removed I could probably enable TLS 1.0 and pass the security scan.

@Cris Hanna
The reason I have to comply is, because the user has to have a passed security scan in order to start using credit cards transactions from government people they are dealing with.
0
btanExec ConsultantCommented:
Try ith SSLv3 disabled and TLS1.0 above enabled at the Exchange, and try with various browser on the OWA. If it works then do a ssllab test again, repeat the same and this time with TLS1.0 disabled, if it cannot even get OWA up - really will ssllab still matter in priority ... if it is ssllab test, it has a guide in listing the criteria (see Table 3. Protocol support rating guide).
SSL 3.0 80%
TLS 1.0 90%
TLS 1.1 95%
TLS 1.2 100%
https://www.ssllabs.com/downloads/SSL_Server_Rating_Guide.pdf
To note - tls1.0 is just one factor in overall assessment.
Check out the change list near the end of guide too
Changes in 2009e (21 January 2014)
• Support for TLS 1.2 is now required to get the A grade. Without, the grade is
capped a B.
Warning: RC4 is used with TLS 1.1 or newer protocol. Because RC4 is weak, the
only reason to use it is to mitigate the BEAST attack. For some, BEAST is still a
threat. Because TLS 1.1 and newer are not vulnerable to BEAST, there is no reason
to use RC4 with them.

Changes in 2009f (4 September 2014)
• Don’t award A+ to servers that use SHA1 certificates.

Changes in 2009g (15 October 2014)
• Cap to C if vulnerable to POODLE.

Changes in 2009h (30 October 2014)
• Don’t award A+ to servers that don’t support TLS_FALLBACK_SCSV.
• Cap to B if SSL 3 is supported.

Changes in 2009i (8 December 2014)
• Cap to B if RC4 is supported.
• Cap to B if the chain is incomplete.
• Fail servers that have SSL3 as their best protocol.
But it may have changes since Dec 2014

ou can test your browser as well via
https://www.ssllabs.com/ssltest/viewMyClient.html
0
easyworksAuthor Commented:
Both had A- @ 90% but with TLS 1.0 enabled it popped up a bunch of Fails (Protocol or cipher suite mismatch) against smart phones and browsers.
0
btanExec ConsultantCommented:
also test the browser (with url a/m) and the test list out the supported tls too. if both side are in sync, then i see it more of the OWA (instead of browser) app triggering such alert. of course will be good to disable tls1.0.
0
easyworksAuthor Commented:
What do you mean "(with url a/m)".

With TLS 1.0 disabled i do not get any fails running against SSLLabs. The problems that run into with IE 11 logs into OWA but when you go to delete/move a message with it on the preview and (not double click the message to open up) you try to delete it pops a mesasge. It seems like you can do everything else though.

Get same error in Chrome too.
OWAerror.jpg
0
easyworksAuthor Commented:
I noticed that error does not happen/pop up when I do not have their domain added to the compatibility list. I added their domain to the compatibility list because i did not want to use OWA light.
0
btanExec ConsultantCommented:
can test your browser as well via
https://www.ssllabs.com/ssltest/viewMyClient.html
0
easyworksAuthor Commented:
Thank you btan.

I think with all the information you have given me and what I've learned I can go about coming up with a better solution for the customer now.

Most of the problem now is they are not fully patched. They are just sitting on SP3 for exchange with no CU rollups, which should resolve the owa issues once applied.

After we are compliant I will go back and try to see if I can get away with enabling TLS 1.0
0
btanExec ConsultantCommented:
thanks for sharing!
0
rkane17Commented:
Btan along with everyone's response is appreciated, however still very confused.   Our SBS2011 server is updated (including Exchange to the latest SP3 RU9) and had used the Nartac util.  Problem is when TLS1.0 is deselected in the utility, nothing works - mail, RDP/RWW, even Sharepoint/SQL doesn't start up.  i don't have a problem with doing a little work to get answers, but it seems like every forum sends me off on a wild goose chase.  Has anyone come across a simpler way to get this through?  Maybe a step by step process specifically for SBS2011 servers?
I plan to install SBS2011 on a test system to see if I can get it working because the Prod system can't be rebooted all the time.
0
btanExec ConsultantCommented:
For exchange, most ppl disable tls1.0 does not have it working, better to enable it for the time being. no easier means other than enabling first - note that win2008R2 and above are the only build with tls1.1 and tls1.2 http://blogs.msdn.com/b/kaushal/archive/2011/10/02/support-for-ssl-tls-protocols-on-windows.aspx
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft IIS Web Server

From novice to tech pro — start learning today.