Enabling TLS 1.2 for App Control Server
search cancel

Enabling TLS 1.2 for App Control Server

book

Article ID: 288146

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

Outline steps to enable TLS 1.2 on App Control servers so they continue to connect to the CDC and force the deprecation of all previous version of SSL and TLS to prevent downgrade attacks.

Environment

  • App Control Server: 7.2.x and Higher
  • Microsoft Windows: All Supported Versions

Resolution

Windows changes

  1. Every Supported Windows Operating System is capable of communicating via TLS 1.2, but they are not all enabled to do so out of the box. This article describes the changes necessary to make it possible for a server to talk TLS 1.2 if they are not already configured to do so: https://docs.microsoft.com/en-us/sccm/core/plan-design/security/enable-tls-1-2#update-windows-and-winhttp
  2. Additional changes to SCHANNEL-related registry entries that may be required: https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls#configuring-schannel-protocols-in-the-windows-registry 
    • Make sure the TLS 1.2 key is present, and that on its Client subkey, DisabledByDefault is set to (DWORD)0 and Enabled is set to (DWORD)1.
    • If the SSL 2.0, SSL 3.0 or TLS 1.0 keys are present, that on their Client subkeys, DisabledByDefault is set to (DWORD)1. 
  3. Because the Reporter is built on .NET, It is also necessary to tell the .NET framework that we expect to communicate via TLS 1.2: https://docs.microsoft.com/en-us/sccm/core/plan-design/security/enable-tls-1-2#update-net-framework-to-support-tls-12

SQL changes

  • Sometimes enabling TLS 1.2 requires less-secure protocols to be disabled. However, fresh installs of SQL Server did not support TLS 1.2 until SQL Server 2014, and sometimes disabling older protocols will render it impossible for the Server or Reporter to talk to SQL Server. This article describes each version of SQL Server and how to make it capable of communicating via TLS 1.2: https://support.microsoft.com/en-us/help/3135244/tls-1-2-support-for-microsoft-sql-server

Additional Information

  • The Carbon Black Collective Defense Cloud (CDC), which provides file trust and threat information and allows automatic updates of certain rules, requires a TLS 1.2 connection from the CB Protection Server. If you intend to connect to the CDC, use of .NET 4.6 (or later) is recommended. Earlier versions of .NET will default to pre-TLS-1.2 protocols, and this will prevent a CDC connection unless you disable those older protocols.
  • Disabling older TLS/SSL protocols may be a security issue for connections to other services from your App Control Server.
Powered by Wolken Software