How to Pass PCI – Disable TLS 1.0, SSL 2.0, SSL 3.0

If you are trying to pass PCI Compliance, the security scan may complain your Windows 2008 Server R2 having TLS 1.0, or SSL 2.0 or SSL 3.0 enabled.

1. VERY IMPORTANT: Install this optional update or you won’t be able to remote desktop to the server after you disable TLS 1.0

https://support.microsoft.com/en-us/help/3080079/update-to-add-rds-support-for-tls-1.1-and-tls-1.2-in-windows-7-or-wind

SNAGHTML26c2e9

2. You might need to add TLS 1.2 support for your SQL Server.

https://support.microsoft.com/en-us/help/3135244/tls-1.2-support-for-microsoft-sql-server

 

3. Useful Tool

Use the following to disable TLS 1.0 and other weak cipher suites.

https://www.nartac.com/Products/IISCrypto/Download

4. FTP Server

I had to apply the follow fix in order for the FTP upload continues to work.  Otherwise, a FTP client, such as Filezilla, reports an error “550 The supplied message is in incomplete.  The signature was not verified”.  The FTP client keeps on repeating the upload of the same file again and again.

https://support.microsoft.com/en-us/help/2888853/fix-the-supplied-message-is-incomplete-error-when-you-use-an-ftps-clie

 

Reference:

https://blogs.msdn.microsoft.com/friis/2016/07/25/disabling-tls-1-0-on-your-windows-2008-r2-server-just-because-you-still-have-one/

https://community.spiceworks.com/topic/1401592-howto-make-your-rdp-pci-dss-compliant

https://support.microsoft.com/en-us/help/3135244/tls-1.2-support-for-microsoft-sql-server

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s