Accepted Solutions
How to disable TLS 1.0 and 1.1 and weaker ciphers:
This is a very common question that we get often for secured environments. Prognosis 11.6+ utilizes TLS 1.2 now therefore there should be no effect to disable. Often, customer’s environment will scan and detect these security vulnerabilities.
- Download the tool from the link below
https://www.nartac.com/Products/IISCrypto
Choose IIS Crypto GUI below
- Extract IISCrypto.exe to local folder on the prognosis monitoring node and launch it.
- Click on “Best Practices” and hit Apply
This will enable most common protocols (including TLS1.0), range of cipher suites, hashes & key exchanges according to best practices provided by the vendor.
- You can disable the protocols TLS 1.0 and TLS 1.1 via this GUI.
- You can disable the any ciphers related reference in your scan however, these might affect Prognosis so be sure to check first to see if it’s a product the customer may use.
- You must reboot the server to take effect.
- After reboot, you can check a bunch of registry entries been added locally on the Prognosis windows node by the tool under:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
For more information, refer to https://support.microsoft.com/en-us/kb/245030 which suggests the same thing.
How to disable TLS 1.0 and 1.1 and weaker ciphers:
This is a very common question that we get often for secured environments. Prognosis 11.6+ utilizes TLS 1.2 now therefore there should be no effect to disable. Often, customer’s environment will scan and detect these security vulnerabilities.
- Download the tool from the link below
https://www.nartac.com/Products/IISCrypto
Choose IIS Crypto GUI below
- Extract IISCrypto.exe to local folder on the prognosis monitoring node and launch it.
- Click on “Best Practices” and hit Apply
This will enable most common protocols (including TLS1.0), range of cipher suites, hashes & key exchanges according to best practices provided by the vendor.
- You can disable the protocols TLS 1.0 and TLS 1.1 via this GUI.
- You can disable the any ciphers related reference in your scan however, these might affect Prognosis so be sure to check first to see if it’s a product the customer may use.
- You must reboot the server to take effect.
- After reboot, you can check a bunch of registry entries been added locally on the Prognosis windows node by the tool under:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
For more information, refer to https://support.microsoft.com/en-us/kb/245030 which suggests the same thing.
