Why Do You Need the TLS Dashboard? Security!
October 2018’s free System Center Configuration Manager (SCCM) giveaway is the TLS Dashboard. Get it here!
Why do you need this report? Keep reading below!
If you haven’t heard of Transport Layer Security (TLS) then you’re not alone. In a recent poll by our Chief Architect, over 70% of respondents didn’t know what TLS was nor had they applied the TLS software update.
The PCI Security Standards Council set June 30, 2018 as the deadline to implement a more secure encryption protocol, so web servers should all be upgraded to Transport Layer Security (TLS) version 1.2. The driving force behind this change is increased security of the HTTPS encryption between sites and the people who visit those sites.
Why should you care? If SCCM is upgraded to TLS 1.2, computers that are not configured properly won’t be able to communicate with the server or be able to use certain applications. If upgrading to TLS 1.2 is a priority in your organization, especially if you work in the financial or point of sale (POS) sectors, you need to pay attention.
Now that you know more about the importance of TLS, how do you audit each computer to ensure that TLS 1.2 is properly configured?
Solution: TLS Dashboard
This is where the TLS Dashboard comes into play. Once installed, the TLS Dashboard inventories all of the TLS and Secure Sockets Layer (SSL) registry values found on each computer. SSL is the predecessor to TLS. The results in the dashboard will quickly show you a count of each protocol (TLS and SSL) setting.
There are four possible registry keys for each TLS and SSL protocol setting. They are:
Please review the Microsoft documentation for a complete description of each registry key.
When you read the documentation you will see that there are actually three possible values for each registry key. They are:
– True – Green
– False – Red
– Not Defined (default) – Gray
In order to make it easier for you to review the results within each bar chart, we defined the colors of each value.
Later on in this post, we’ll tell you how to install the TLS updates on a computer.
Would you find it useful to have an audit of all TLS and SSL protocol settings in one report? Then get the TLS Dashboard NOW!
All of our free reports have the Role-Based Administration (RBA) feature enabled. This means that if you are using Microsoft System Center 2012 R2 Configuration Manager or above, these reports will work with all RBA settings.
Enhansoft Reporting – TLS Dashboard
The TLS Dashboard is found within Enhansoft Reporting’s Security category. This new category of dashboards and reports provides you with information about security-related settings which do not fall under our Endpoint Protection or Software Update categories.
Also found within the Security category are two TLS Dashboard companion reports. They are:
List of Computers by TLS – This report shows a list of computers by TLS/SSL protocol setting. In addition to the individual protocol settings, there are also three display options available:
All – Shows all TLS and SSL protocols (5) in one report.
All TLS – Shows all TLS protocols (3) in one report.
All SSL – Shows all SSL protocols (2) in one report.
TLS Details for a Computer – This report will allow you to see all TLS and SSL protocol settings for a given computer in one report.
How to Install the TLS Updates on a Computer
In response to the PCI Security Standards Council implementation deadline, some of our customers asked us about how Warranty Information Reporting (WIR) would work with these changes, so we were happy to tell them that our API works with both TLS v1.2 and TLS v1.1.
Others, though, experienced some problems because they needed to deploy the appropriate software updates and, more importantly, they needed to apply the registry keys listed within each Knowledge Base (KB) article below.
Once the software updates were deployed and the registry keys were applied, everything worked as expected because the TLS protocol setting on each computer was properly configured.
KB3154518 – Reliability Rollup HR-1605 – NDP 2.0 SP2 – Win7 SP1/Win 2008 R2 SP1
KB3154519 – Reliability Rollup HR-1605 – NDP 2.0 SP2 – Win8 RTM/Win 2012 RTM
KB3154520 – Reliability Rollup HR-1605 – NDP 2.0 SP2 – Win8.1RTM/Win 2012 R2 RTM
KB3156421 – 1605 HotFix Rollup through Windows Update for Windows 10.
For more information about the PCI Security Standards Council’s implementation deadline, please see this post, Are You Ready for 30 June 2018? Saying Goodbye to SSL/early TLS.
Transport Layer Security (TLS) not only effects webservers and web sites, but it can also effect n-tier applications. Applications that need to use TLS (or SSL) protocol settings to communicate with a server or a client will be negatively impacted by outdated versions of .NET.
Sometimes the problem might not be obvious, but a review of the log files for SCCM or an app might tell you that you need to upgrade to a newer version of .NET. Or, you might find that an error message suggests that there was a general network issue such as, “The underlying connection was closed. An unexpected error occurred on a receive.”
If the problem is with .NET applications, you need to upgrade to the minimum .NET version listed below.
Please note that .NET 4.5 was included with Windows 8 and Windows Server 2012.
.NET 4.5 (or later) natively supports TLS 1.2, so there is nothing further you need to do. Remember, however, that the application must support .NET 4.5. If it doesn’t or if you are unsure, it is best to apply the .NET 3.5 software update and registry keys listed within the KBs. The app vendor or developer should be able to help out with supported versions of .NET.
With .NET 3.5 there are a number of updates that are required, so you’ll need to apply the KBs listed above.