Enabling TLS 1.2 for the ITMS Management Platform Environment
search cancel

Enabling TLS 1.2 for the ITMS Management Platform Environment

book

Article ID: 170734

calendar_today

Updated On:

Products

IT Management Suite Client Management Suite

Issue/Introduction

Best security practice is to use the latest version of TLS available - 1.2.  Microsoft does not enable TLS 1.2 by default in many current Operating Systems.  How do we enable TLS 1.2 communications in our Symantec Management Platform Altiris environment?

Environment

ITMS 8.x+

Resolution

To use TLS 1.2 perform the following steps on your environment.

1.  If desired, On a test system verify current TLS settings by downloading and running IISCrypto.exe from the desktop (does not install anything).  Download from: https://www.nartac.com/Products/IISCrypto

2.  Modify the SMP Communication Profile to allow TLS 1.2

  • Settings > Agents/Plugins > Symantec Management Agent > Symantec Management Agent Communication Profile
  • Select the SMP Profile
  • Edit the "SSL Certificates are defined for current profile" adding a check for TLS 1.2

   

3.  Make changes necessary to the OS to accommodate TLS 1.2

  • Save this section below as a .reg (AddTLS.reg) and execute on system to enable TLS 1.2

        Windows Registry Editor Version 5.00
        [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols]
        [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
        [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
        "DisabledByDefault"=dword:00000000
        "Enabled"=dword:00000001
        [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
        "DisabledByDefault"=dword:00000000
        "Enabled"=dword:00000001

You can also install a Registry change via Task Script or Managed Software Policy in Altiris by using the command line: reg import "AddTLS.reg"

NOTE: A system reboot is required after making this change to Registry

You should verify and check the following Microsoft article regarding the different TLS versions:  https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn786418(v=ws.11)

4.  Verify TLS settings changed by using IISCrypto.exe

Note:
You may also consider this:
In some scenarios, if the customer is allowing only TLS 1.2 on the SMP and SQL Server, .NET tries to use TLS 1.0 by default and TLS 1.2 needs to be properly called by it.

There are certain places in the registry that need to be modified to force TLS 1.2 to be the only one in use by .NET.

Add (or modify if these already exists) the following registry keys with the specified values:

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727]
    "SystemDefaultTlsVersions"=dword:00000001
    "SchUseStrongCrypto"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319]
    "SystemDefaultTlsVersions"=dword:00000001
    "SchUseStrongCrypto"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
    "SystemDefaultTlsVersions"=dword:00000001
    "SchUseStrongCrypto"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
    "SystemDefaultTlsVersions"=dword:00000001
    "SchUseStrongCrypto"=dword:00000001