For PCI Compliance, TLS 1.0 needs to be disabled. I was able to get this working on Windows 2012 with no problem by editing the registry as follows:
Add DWORD DisabledByDefault and set to 1 for
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server
Then I rebooted the server. TLS is showing as disabled when running an nmap scan. However doing the same for Windows 2008 R2 doesn't work even though https://support.microsoft.com/en-us/kb/187498 states that it should. When I make the changes to Windows 2008 R2, the SSL site does not show in a browser at all (tried multiple browsers to rule out browser issues).
When hitting the SSL site in Chrome, I get ERR_CONNECTION_RESET but I can telnet to port 443 which would rule out IIS and networking issues. It seems the specific Server key is the one causing issues. When I remove that, the site works in a browser but then nmap shows that TLSv1.0 is enabled which goes back to square one.
Any ideas on getting TLS 1.0 disabled on Windows 2008 R2? I'm out of ideas and have tried a few combinations to no avail.
Thanks for any help!
I was getting the same thing in Windows Server 2008 R2 until I manually added and enabled the TLS 1.1 and TLS 1.2 keys and subkeys and restarted.
Make sure that both the Client and Server subkeys have these DWORD values.
DisabledByDefault = 00000000
Enabled = ffffffff
Check out this Windows support article on the subject https://support.microsoft.com/en-us/kb/245030. (Scroll down to the "For later versions of Windows" section toward the bottom.)
Related
I'm using classic asp on IIS on Windows server 2012, and Server.CreateObject("Msxml2.XMLHTTP.6.0") to make soap requests against a payment processor, and "suddenly" it stopped working.
The payment processor has disabled TLS 1.0, we're supposed to do TLS 1.1 or 1.2; I think this is the cause of the problem...
How do I see and if needed change which protocol it uses?
Take a look here: https://learn.microsoft.com/en-us/dotnet/framework/network-programming/tls#systemdefaulttlsversions - specifically at sections SystemDefaultTlsVersions and SchUseStrongCrypto. You should also go ahead and disable all insecure ciphers/protocols/key exchanges in SChannel - the windows component responsible for SSL/TLS.
There is a GUI tool called IISCrypto from a company called Nartac that has some common profiles that are (somewhat) safer than editing the registry directly for disabling various obsolete components. see https://www.nartac.com/Products/IISCrypto.
Word of warning - be careful with your SChannel settings (either editing the registry or using IIS Crypto) - the settings are used throughout windows and are required for services like RDP and WinRM among other things - backup first, then test carefully.
I had similar situation - I have used Msxml2.XMLHTTP for API endpoint call in VB script and suddenly it stopped working. I got error "The system cannot locate the resource specified" and http.status returned 12029. The problem was not in the URL, it worked when I tried to call the URL from the browser. But when I started VB script, it has failed on the line http.send.
How I solved it finally?
I hade to install recommended update to my Windows Server 2012:
Microsoft .NET Framework 4.8 for Windows Server 2012 for x64 (KB4486081)
and I have installed one optional update too:
Internet Explorer 11 for Windows Server 2012 for x64
After this and server restart it started to work again. I can use both: "Msxml2.XMLHTTP.6.0" or "Msxml2.XMLHTTP", it does not matter.
The server has 2 IP addresses. Each is bound to a site. One of them has a bunch of url rewrites configured for each application, pointing to another server. Each have anonymous authentication enabled.
After a reboot of the server, the url rewrites stopped working, simply showing an "Unauthorized" error page.
Info:
Window Server 2008 R2 Enterprise SP1
IIS 7.5 SP1
I noticed that the error page said that no authentication was enabled except integrated authentication. The GUI said something different though.
I switched on Basic Authentication (additional to Anonymous) and it worked immediately. When I switched it back off, things continued to work again just as they did before the reboot.
This seems to be some glitch in IIS (?)
Developing an MVC application, i now need to have test other browser versions.
Installed the VM XP on win 7. That is running good. Got IE8 installed and FF 3.6. I know IE9 has a compat mode for 8 and 7, but read some articles that these may not run exactly as their stand alone versions. I got IE8 installed on the VM XP, so now i need to connect to my IIS Win7 localhost.
IS there anyway to do this? and How?
You need to configure your HOST PC's firewall to allow the VM (and perhaps other machines) to connect on port 80.
You can then navigate to http://hostmachinename in the VM.
Although my firewall was off, i was able to connect using the local machine name or ip address, as stated above by SLaks. So, if anyone has there firewall on, you may have to allow the VM to access the ports.
I did set the VMXP >> Tools >> Settings >> Networking to my Nic/ethernet card.
Not sure if this had any effect.
I also had trouble at first not getting the .NET MVC website to run. But then realized our web.config is setup to take only https. I had my website running on 2 ports, one for is for SSL. When i use the https secure port, it connected. So iguess the web app was seeing the VM as another computer tryingto coinnect, that was not local, so it required it to connect by https.
Yesterday we had a major problem with our windows 2003 webserver and we had to move all our sites to a new machine. There were a couple of sites that used a SSL certificate and we cannot export these because the we cannot start windows on the broken machine.
Is there a way to get these certificates to work on the other server? I have access to the hard drive of the broken server. I may have to mention that the new server is on windows 2008 r2.
I'm using IIS 5.1 in Windows XP on my development computer. I'm going to set up HTTPS on my company's web server, but I want to try doing it locally before doing it on a production system.
But when I go into the Directory Security tab of my web site's configuration section, the "Secure communication" groupbox is disabled. Is there something I need to do to make this groupbox enabled?
That is because IIS 5.1 under the limited Windows XP version is limited to only HTTP. You need to have a full version of IIS 6.0 on Windows 2003 to do this. Luckily you can download a VHD image of Windows 2003 from Microsoft and run it under a Virtual PC instance. Plus I would recommend this since you are trying to be careful and use a machine close to your production environment. IIS 5.1 version is never deployed as a production machine so you cannot guarantee anything and the differences between IIS 5.1 and IIS 6.0 are significant enough where the VM is worth your while.
You may need to manually create a certificate first (on WinXP there does not seem to be a built-in mechanism, so you need to use OpenSSL). Check out these two links:
Enabling SSL in IIS on Windows XP Professional
Enabling SSL (HTTPS) for IIS in Windows XP