App Control: Enabling TLS 1.2 on a Protection Server
search cancel

App Control: Enabling TLS 1.2 on a Protection Server

book

Article ID: 288146

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

Outline steps to enable TLS 1.2 on App Control servers so they continue to connect to the CDC

Environment

App Control Server: 7.2.x, 8.x

Resolution

Windows changes

  1. Every OS that we support is capable of communicating via TLS 1.2, but they are not all enabled to do so out of the box. This article describes the changes necessary to make it possible for a server to talk TLS 1.2 if they are not already configured to do so: https://docs.microsoft.com/en-us/sccm/core/plan-design/security/enable-tls-1-2#update-windows-and-winhttp
  2. This article describes additional changes to SCHANNEL-related registry entries that may be required: https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls#configuring-schannel-protocols-in-the-windows-registry 
    • Make sure the TLS 1.2 key is present, and that on its Client subkey, DisabledByDefault is set to (DWORD)0 and Enabled is set to (DWORD)1.
    • If the SSL 2.0, SSL 3.0 or TLS 1.0 keys are present, that on their Client subkeys, DisabledByDefault is set to (DWORD)1. 
  3. Because the Reporter is built on .NET, It is also necessary to tell the .NET framework that we expect to communicate via TLS 1.2. This article describes how to do that: https://docs.microsoft.com/en-us/sccm/core/plan-design/security/enable-tls-1-2#update-net-framework-to-support-tls-12

SQL changes

Sometimes enabling TLS 1.2 requires less-secure protocols to be disabled. However, fresh installs of SQL Server did not support TLS 1.2 until SQL Server 2014, and sometimes disabling older protocols will render it impossible for the Server or Reporter to talk to SQL Server.

Additional Information

  • The Carbon Black Collective Defense Cloud (CDC), which provides file trust and threat information and allows automatic updates of certain rules, requires a TLS 1.2 connection from the CB Protection Server. If you intend to connect to the CDC, use of .NET 4.6 (or later) is recommended. Earlier versions of .NET will default to pre-TLS-1.2 protocols, and this will prevent a CDC connection unless you disable those older protocols.
  • Disabling older TLS/SSL protocols may be a security issue for connections to other services from your App Control Server.