The latest security recommendations promote the use of the more secure TLS 1.1 and TLS 1.2 protocols for all web traffic. Protocols older than TLS 1.1 and TLS 1.2 should be disabled on IIS web servers (including CentreStack) as they are no longer considered secure by the security community. More info: https://blogs.technet.microsoft.com/askpfeplat/2017/11/13/demystifying-schannel/
SQL Server 2012 Express Edition
At the time of this writing (February 2018), CentreStack installs SQL Server 2012 Express Edition (RTM), with an internal ProductVersion of 11.00.2100. Service Pack 3 or later of SQL Server 2012 must be installed in order to support servers that have been restricted to TLS 1.1 and TLS 1.2. For CentreStack SQL Express deployments, it is recommended that the SQL components be upgraded to Service Pack 4 (SP4) prior to altering the SCHANNEL settings on the server. Once upgraded to SP4, the SQL Express ProductVersion will be 11.0.7001.0. This document contains basic instructions for upgrading to SP4 at the end of this document.
IIS Crypto Utility
The IIS Crypto tool from Nartac Software is designed to make it easy for the Windows Web Server administrator to change the SCHANNEL registry settings in order to use the most secure protocols according to the current best practices. The software is available here: https://www.nartac.com/Products/IISCrypto/Download
IIS Crypto supports a handful of "best practice" templates, the most stringent of which is PCI 3.1. If a template is loaded and applied, the web server must be rebooted in order for the changes to take affect. If the PCI 3.1 template is used, the server will ignore all SSL protocol versions earlier than TLS 1.1. A screenshot of the PCI 3.1 template settings in IIS Crypto is attached to this document.
CentreStack Client Support for TLS 1.1 and TLS 1.2
If TLS 1.1 and TLS 1.2 are enforced, the following Microsoft KB article must be followed for Windows 7 clients, else the Windows 7 clients will be unable to connect to the IIS web server: https://support.microsoft.com/en-za/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-a-default-secure-protocols-in
It is important to note that the Windows 7 clients require a hotfix and a registry change in order to support TLS 1.1 and TLS 1.2.
Some CentreStack customers have disabled the "SHA" (SHA-1) hash using IIS Crypto. If SHA-1 is disabled, this effectively disables TLS 1.1 and only TLS 1.2 will be available between client and IIS web server. The CentreStack client running on Windows 8 will be unable to connect and is not supported in this use-case. Windows 7 (with the hotfix and registry change), Windows 8.1, and Windows 10 will be able to negotiate the TLS 1.2 handshake and are supported CentreStack clients in the TLS 1.2 use-case.
SQL Server 2012 SP4 Upgrade Instructions
- On the CentreStack server with SQL Express, follow this link: https://www.microsoft.com/en-us/download/details.aspx?id=56040.
- Select the option to download SQLServer2012SP4-KB4018073-x64-ENU.exe
- Once SQLServer2012SP4-KB4018073-x64-ENU.exe is downloaded, execute it.
- The user interface is fairly straightforward, and the defaults should be used on every panel to complete the installation.
- At the command prompt, execute this command to verify the SQL version:
sqlcmd -S localhost\CENTRESTACK -E -Q "SELECT @@VERSION;"
- Verify that the version number in the text displayed is "11.0.7001.0"