Disabling TLS 1.0/1.1 in Skype for Business Server 2015–Part 2

In Part 1 of our Disabling TLS 1.0 and 1.1 Support for On-Premises Skype for Business deployments blog we covered the pre-requisites and supportability scope. In this blog we will go over how to disable TLS 1.0 and 1.1 in your environments.

Please review Part 1 to ensure all your servers, clients and devices are in scope, and that you have a plan to address any gaps. Except where noted in Part 1, once TLS 1.0 and 1.1 are disabled out-of-scope servers, clients and devices will longer function properly, or at all. This may mean you need to pause and wait for updated guidance from Microsoft. Once you are satisfied you meet all requirements and have a plan to address gaps, proceed.

We want to follow the usual order of operations of "inside out" for upgrading Skype for Business servers. Treat Director pools, Pchat and Paired Pools in the same manner you normally would. Order and methods for upgrade are covered here and here.

At a high level, this requires installing Skype for Business Server 2015 CU6 HF2, applying pre-requisite updates to .Net and SQL, and finally another, separate round of OS configuration updates, i.e. disabling TLS 1.0 and 1.1 via registry file import. It is critically important that you complete installation of all prerequisites, including Skype for Business Server 2015 CU6 HF2, prior to disabling TLS 1.0 and 1.1 on any server in your environment. Every Skype for Business Server, including Edge role and SQL Backends, require the updates. Also ensure that all supported (in-scope) clients have been updated to the required minimum versions. Don’t forget to update management workstations as well.

High level process:

  1. Test all steps in your lab prior to configuring production servers
  2. Backup and preserve a copy of exported registry on each and every individual server to be updated. You cannot share registries between Servers, they contain unique machine based keys.
  3. Upgrade all Skype for Business 2015 Servers to CU6 HF2 or higher
  4. Install all pre-requisites to all servers
  5. Ensure all in-scope clients are updated (covered in Part I)
  6. Disable TLS 1.0 and 1.1 via registry import
  7. Validate workloads are functioning as expected
    1. If problems encountered, troubleshoot and resolve or
    2. Restore registry from step 2 to re-enable TLS 1.0 and 1.1
  8. Validate only TLS 1.2 is being used

Install Pre-Requisites to All Servers

Extensive dependency updating is required before you begin to disable TLS 1.0 and 1.1 at the operating system level in your Skype for Business Server 2015 deployments. The following are the minimum versions that can support TLS 1.2. Deploy all pre-requisite updates across every Skype for Business server in your environment before you begin disabling TLS 1.0 and 1.1.

  • Skype for Business Server 2015 CU6 HF2 6.0.9319.516 (March 2018 update) or higher
  • .NET Framework 4.7 or higher with SchUseStrongCrypto enabled in the registry (provided below)
  • SQL must be updated on all Skype for Business 2015 servers and backends. Update Enterprise Edition Pool SQL Backends first, then their respective FEs.
  • SQL Server 2014 SP1 + CU5 (link), or higher / SQL Server 2012 SP2 + CU16 or higher/ SQL Server 2014 RTM + CU12 (link) or higher / SQL Server 2014 SP2
  • SQL Server Native Client for SQL Server 2012 (link)
  • Microsoft ODBC Driver 11 for SQL Server (link), or higher
  • Shared Management Objects for SQL Server 2014 SP2 (link)
  • SQLSysClrTypes for SQL server 2014 SP2 (link)

Basic steps to install pre-requisites, in recommended order of operations:

  1. Install the Skype for Business Server CU6HF2 (6.0.9319.516) update to all servers.
  1. Install the update to components using the updater.
  2. Update databases according to documented procedures. Instructions are documented at https://support.microsoft.com/en-us/help/3061064/updates-for-skype-for-business-server-2015.
  3. Validate product functionality in the deployment prior to moving forward with any other changes.
  • Download .NET 4.7 Offline Installer
  1. Reference: https://www.microsoft.com/en-us/download/details.aspx?id=5516
  2. Ensure Skype for Business Server 2015 services are stopped on the Front End server.
  3. Reference: https://support.microsoft.com/en-us/help/3061064/updates-for-skype-for-business-server-2015
  4. Ex (Standard Edition): Stop-CsWindowsServices
  5. Ex (Enterprise Edition): Invoke-CsComputerFailover
  6. Run the installer package.
  7. Reboot the server.
  • Update SQL Express 2014 on all FE or Standard Edition Server
  1. Reference: https://support.microsoft.com/en-us/help/3135244/tls-1-2-support-for-microsoft-sql-server.
  2. Download SQL 2014 SP2
  1. Reference: https://www.microsoft.com/en-us/download/details.aspx?id=53168
  • Copy the installation media to a folder on the server (Ex: C:1_2014SqlSp2)
  • Ensure Skype for Business Server 2015 services are stopped on the Front End server
  1. Ex (Standard Edition): Stop-CsWindowsService
  2. Ex (Enterprise Edition): Invoke-CsComputerFailove
  • Open an Admin Command Prompt, and upgrade all installed components and instances
  1. Example: C:1_2014SqlSp2SQLServer2014SP2-KB3171021-x64-ENU.exe /qs /IAcceptSQLServerLicenseTerms /Action=Patch /AllInstances
  • Update SQL Native Client
  1. Reference: https://support.microsoft.com/en-us/help/3135244/tls-1-2-support-for-microsoft-sql-server.
  2. Download from https://www.microsoft.com/en-us/download/details.aspx?id=50402
  3. Ensure Skype for Business Server 2015 services are stopped on the Front End server.
  1. Ex (Standard Edition): Stop-CsWindowsServices
  2. Ex (Enterprise Edition): Invoke-CsComputerFailove
  • Stop the SQL instances installed from running
  1. Ex: Get-Service 'MSSQL$RTCLOCAL' | Stop-Servic
  2. Ex: Get-Service 'MSSQL$LYNCLOCAL' | Stop-Servic
  3. Ex (Standard Edition Only): Get-Service 'MSSQL$RTC' | Stop-Servic
  • Install the update.
  • Update ODBC Driver 11 for SQL Server
  1. Reference: https://support.microsoft.com/en-us/help/3135244/tls-1-2-support-for-microsoft-sql-server.
  2. Download from https://www.microsoft.com/en-us/download/confirmation.aspx?id=36434
  3. Ensure Skype for Business Server 2015 services are stopped on the Front End server
  1. Ex (Standard Edition): Stop-CsWindowsService
  2. Ex (Enterprise Edition): Invoke-CsComputerFailove
  • Install the update.

For SQL Back ends for Enterprise Edition Pools, pre-requisites and TLS disable should be treated as any SQL or OS updates would; refer to: https://docs.microsoft.com/en-us/skypeforbusiness/manage/topology/patch-or-update-a-back-end-or-standard-edition-server

While both the pre-requisite application and TLS disabling steps can be combined, we strongly recommend all pre-requisites be applied before proceeding with disabling of TLS 1.0 and 1.1 at the operating system level.

Disable TLS 1.0 and 1.1 via Registry Import

Before you proceed with the next steps, make sure you have completed all prerequisites and updated Skype for Business Servers.

Copy the following text into a notepad file and rename it TLSDisable.reg:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFrameworkv2.0.50727]

"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFrameworkv4.0.30319]

"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINESOFTWAREWow6432NodeMicrosoft.NETFrameworkv2.0.50727]

"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINESOFTWAREWow6432NodeMicrosoft.NETFrameworkv4.0.30319]

"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftCryptographyConfigurationSSL0010002]

"Functions"="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256"

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNEL]

"AllowInsecureRenegoClients"=dword:00000000

"AllowInsecureRenegoServers"=dword:00000000

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphers]

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphersAES 128/128]

"Enabled"=dword:FFFFFFFF

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphersAES 256/256]

"Enabled"=dword:FFFFFFFF

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphersDES 56/56]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphersNULL]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphersRC2 128/128]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphersRC2 40/128]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphersRC2 56/128]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphersRC2 56/56]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphersRC4 128/128]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphersRC4 40/128]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphersRC4 56/128]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphersRC4 64/128]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphersTriple DES 168]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELHashes]

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELHashesMD5]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELHashesSHA]

"Enabled"=dword:FFFFFFFF

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELHashesSHA256]

"Enabled"=dword:FFFFFFFF

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELHashesSHA384]

"Enabled"=dword:FFFFFFFF

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELHashesSHA512]

"Enabled"=dword:FFFFFFFF

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELKeyExchangeAlgorithms]

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELKeyExchangeAlgorithmsDiffie-Hellman]

"Enabled"=dword:FFFFFFFF

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELKeyExchangeAlgorithmsECDH]

"Enabled"=dword:FFFFFFFF

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELKeyExchangeAlgorithmsPKCS]

"Enabled"=dword:FFFFFFFF

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocols]

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsMulti-Protocol Unified Hello]

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsMulti-Protocol Unified HelloClient]

"DisabledByDefault"=dword:00000001

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsMulti-Protocol Unified HelloServer]

"DisabledByDefault"=dword:00000001

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsPCT 1.0]

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsPCT 1.0Client]

"DisabledByDefault"=dword:00000001

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsPCT 1.0Server]

"DisabledByDefault"=dword:00000001

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 2.0]

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 2.0Client]

"DisabledByDefault"=dword:00000001

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 2.0Server]

"DisabledByDefault"=dword:00000001

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 3.0]

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 3.0Client]

"DisabledByDefault"=dword:00000001

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 3.0Server]

"DisabledByDefault"=dword:00000001

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.0]

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.0Client]

"DisabledByDefault"=dword:00000001

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.0Server]

"DisabledByDefault"=dword:00000001

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.1]

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.1Client]

"DisabledByDefault"=dword:00000001

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.1Server]

"DisabledByDefault"=dword:00000001

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.2]

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.2Client]

"DisabledByDefault"=dword:00000000

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.2Server]

"DisabledByDefault"=dword:00000000

"Enabled"=dword:00000001

Import the .reg file on each server you wish to disable TLS 1.0 and 1.1. Reboot the server. Once the services have come back online, move to the next server. The approach for Enterprise Edition Pools is the same you would take for any OS update.

You may have noticed we are doing more than just disabling TLS 1.0 and 1.1 here. SchUseStrongCrypto is required for .Net to function properly. In addition, we are supporting Cipher Suite re-order (as shown above) and the disabling of some older weak ciphers. This is the first time we have officially supported these changes to SCHANNEL and Crypto API on Skype for Business Server, and it is important to note these changes are the only ones we support and have tested at this time. We may consider additional configurations in the future, but for now, please do not modify the registry import file in your implementation.

Validate Workloads are functioning as expected

Once TLS 1.0 and 1.1 have been disabled in your environment, check to ensure that all your main workloads are functioning as expected, such as IM & Presence, P2P calls, Enterprise Voice, et cetera.

Validate only TLS 1.2 is being used

Have your Security Team perform a new audit of Skype for Business traffic to ensure the older protocols TLS 1.0 and 1.1 are no longer in use.

Alternatively, you can use Internet Explorer to test TLS connections to web services from Skype for Business Server 2015 after TLS 1.0 and TLS 1.1 have been disabled.

  1. Launch Internet Explorer
  2. Select Tools > Internet Options
  3. Select the Advanced tab
  4. Under Settings, scroll to the bottom
  5. Verify that TLS 1.0, TLS 1.1, and TLS 1.2 are enabled
  6. Browse the Internal Web Service URL of your SfB 2015 pool (should connect successfully)
  7. Go back into IE and disable the option to Use TLS 1.2 only
  8. Browse the Internal Web Service URL of your SfB 2015 pool again (should fail to connect)

InternetOptions



from TechNet Blogs https://ift.tt/2HzPGwq
Disabling TLS 1.0/1.1 in Skype for Business Server 2015–Part 2 Disabling TLS 1.0/1.1 in Skype for Business Server 2015–Part 2 Reviewed by Unknown on April 18, 2018 Rating: 5

No comments:

Powered by Blogger.