SQL6-D0-008300 - Confidentiality of controlled information during transmission through the use of an approved TLS version - SSL 2.0 Client Enabled

Details

Transport Layer Security (TLS) encryption is a required security setting as a number of known vulnerabilities have been reported against Secure Sockets Layer (SSL) and earlier versions of TLS. Encryption of private information is essential to ensuring data confidentiality. If private information is not encrypted, it can be intercepted and easily read by an unauthorized party. SQL Server must use a minimum of FIPS 140-2-approved TLS version 1.2, and all non-FIPS-approved SSL and TLS versions must be disabled. NIST SP 800-52 Rev.2 specifies the preferred configurations for government systems.



References:


TLS Support 1.2 for SQL Server: https://support.microsoft.com/en-us/kb/3135244


TLS Registry Settings: https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings


Solution

Important Note: Incorrectly modifying the Windows Registry can result in serious system errors. Before making any modifications, ensure you have a recent backup of the system and registry settings.

Access the SQL Server
Access an administrator command prompt
Type 'regedit' to launch the Registry Editor

Enable TLS 1.2:

1.Navigate to the path HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
a.If the 'TLS 1.2' key does not exist, right-click 'Protocols'
b.Click New
c.Click Key
d.Type the name 'TLS 1.2'

2.Navigate to the 'TLS 1.2' subkey
a.If the subkey 'Client' does not exist, right-click 'TLS 1.2'
b.Click New
c.Click Key
d.Type the name 'Client'
e.Repeat steps A - D for the 'Server' subkey

3.Navigate to the 'Client' subkey
a.If the value 'Enabled' does not exist, right-click on 'Client'
b.Click New
c.Click DWORD
d.Enter 'Enabled' as the name
e.Repeat steps A-D for the value 'DisabledByDefault'

4.Double-click 'Enabled'

5.In Value Data, enter '1'

6.Click OK

7.Double-click 'DisabledByDefault'

8.In Value Data, enter '0'

9.Click OK

10.Repeat steps 3 - 9 for the 'Server' subkey


Disable unwanted SSL/TLS protocol versions:

1.Navigate to the path HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
a.If the 'TLS 1.0' key does not exist, right-click 'Protocols'
b.Click New
c.Click Key
d.Type the name 'TLS 1.0'

2.Navigate to the 'TLS 1.0' subkey
a.If the subkey 'Client' does not exist, right-click 'TLS 1.0'
b.Click New
c.Click Key
d.Type the name 'Client'
e.Repeat steps A - D for the 'Server' subkey

3.Navigate to the 'Client' subkey
a.If the value 'Enabled' does not exist, right-click on 'Client'
b.Click New
c.Click DWORD
d.Enter 'Enabled' as the name
e.Repeat steps A-D for the value 'DisabledByDefault'

4.Double-click 'Enabled'

5.In Value Data, enter '0'

6.Click OK

7.Double-click 'DisabledByDefault'

8.In Value Data, enter '1'

9.Click OK

10.Repeat steps 3 - 9 for the 'Server' subkey

11.Repeat steps 1 - 10 for 'TLS 1.1', 'SSL 2.0', and 'SSL 3.0'


Supportive Information

The following resource is also helpful.

This security hardening control applies to the following category of controls within NIST 800-53: Identification and Authentication.This control applies to the following type of system Windows.


References


Source