asked on

Use TLS version 1.1 and 1.2

NESSUS vulnerability Scanner runs every often on my network. I see that All my Windows server 2008 R2, 2012 R2, Windows 8.1. shows the following two vulnerabilities below on the report as HIGH. We do have PCI regulation, we do not manage credit card services by the way.
1) TLS version 1.0 Protocol Detection
2) SSL Version 2 and 3 Protocol Dectection.
All my servers and Computers are patch monthly, so i do not think i am missing any patch. is there a way to fix this? I have a wildcar certificate from godaddy that i can use, so all my computers can talk using that? is this a good option?
Please advise.
Thanks,

ASKER CERTIFIED SOLUTION

Andy M

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

Faust Romero

ASKER

so TLS v 1.1 will be enable for all type of communications on the server/client correct? for example RDP, FTP, SFTP, HTTPS, etc.....

arnold

When using nessus, you need to know what you are scanning.
IIScrypto can be used to disable the SSLv2/SSLv3 and TLS 1.0 protocols
this is within the registry, HKLM\SYSTEM\currentcontrolset\control\securityproviders

schanne\protocols
SSLv2
SSLv3
TLS1.0
TLS1.1
TLS1.2 at time.

Andy M

so TLS v 1.1 will be enable for all type of communications on the server/client correct? for example RDP, FTP, SFTP, HTTPS, etc.....

Yes, basically that server and the services on it will only be available on the protocol you have enabled on it (TLS 1.1, 1.2 ideally). This may require updates on the client machines to connect to services (i.e. RDP on Windows 7 I think needed an update when we started forcing TLS 1.1/1.2) but newer systems should already be able to connect on these protocols.

It's worth checking which services run on the server(s) in question and ensure that switching to TLS 1.1/1.2 won't cause problems (or at least ensure you know what to do if a client application needs to be updated as well).