cancel
Showing results for 
Search instead for 
Did you mean: 

How to use IIS crypto to disable ciphers and TLS 1.0 and 1.1 (Prognosis 11.6+)

Highlighted
Hero

How to use IIS crypto to disable ciphers and TLS 1.0 and 1.1 (Prognosis 11.6+)

If your security department or scanner has detected less secure protocols and would like them disabled, How would you use IIS crypto to disable ciphers and TLS 1.0 and 1.1 (Prognosis 11.6+)

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Hero

Re: How to use IIS crypto to disable ciphers and TLS 1.0 and 1.1 (Prognosis 11.6+)

 

 

How to disable TLS 1.0 and 1.1 and weaker ciphers:

 

This is a very common question that we get often for secured environments. Prognosis 11.6+ utilizes TLS 1.2 now therefore there should be no effect to disable. Often, customer’s environment will scan and detect these security vulnerabilities.

 

  1. Download the tool from the link below

https://www.nartac.com/Products/IISCrypto

 

Choose IIS Crypto GUI below

7.png

 

  1. Extract IISCrypto.exe to local folder on the prognosis monitoring node and launch it.
  2. Click on “Best Practices” and hit Apply

This will enable most common protocols (including TLS1.0), range of cipher suites, hashes & key exchanges according to best practices provided by the vendor.

  1. You can disable the protocols TLS 1.0 and TLS 1.1 via this GUI.
  2. You can disable the any ciphers related reference in your scan however, these might affect Prognosis so be sure to check first to see if it’s a product the customer may use.

8.png

 

  1. You must reboot the server to take effect.
  1. After reboot, you can check a bunch of registry entries been added locally on the Prognosis windows node by the tool under:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

9.png

 

For more information, refer to https://support.microsoft.com/en-us/kb/245030 which suggests the same thing.

 

View solution in original post

1 REPLY 1
Highlighted
Hero

Re: How to use IIS crypto to disable ciphers and TLS 1.0 and 1.1 (Prognosis 11.6+)

 

 

How to disable TLS 1.0 and 1.1 and weaker ciphers:

 

This is a very common question that we get often for secured environments. Prognosis 11.6+ utilizes TLS 1.2 now therefore there should be no effect to disable. Often, customer’s environment will scan and detect these security vulnerabilities.

 

  1. Download the tool from the link below

https://www.nartac.com/Products/IISCrypto

 

Choose IIS Crypto GUI below

7.png

 

  1. Extract IISCrypto.exe to local folder on the prognosis monitoring node and launch it.
  2. Click on “Best Practices” and hit Apply

This will enable most common protocols (including TLS1.0), range of cipher suites, hashes & key exchanges according to best practices provided by the vendor.

  1. You can disable the protocols TLS 1.0 and TLS 1.1 via this GUI.
  2. You can disable the any ciphers related reference in your scan however, these might affect Prognosis so be sure to check first to see if it’s a product the customer may use.

8.png

 

  1. You must reboot the server to take effect.
  1. After reboot, you can check a bunch of registry entries been added locally on the Prognosis windows node by the tool under:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

9.png

 

For more information, refer to https://support.microsoft.com/en-us/kb/245030 which suggests the same thing.

 

View solution in original post

Webinar: Keep the modern workforce connected

Unified Communications has always been an important part of companies' digital transformation efforts due to its ability to enable rich virtual collaboration and communication. But with COVID-19, we've reached a break-through point.

Join Bill Haskins, Sr. Analyst & Partner, Unified Communications at Wainhouse Research, and John Ruthven, CEO at IR discuss UC challenges companies are experiencing due to the COVOID-19 crisis.

Join webinar