logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

App Control: Enabling TLS 1.2 on a Protection Server

App Control: Enabling TLS 1.2 on a Protection Server

Environment

App Control Server: 7.2.x, 8.x

Objective

Outline steps to enable TLS 1.2 on App Control servers so they continue to connect to the CDC

Resolution

Windows changes

  1. Every OS that we support is capable of communicating via TLS 1.2, but they are not all enabled to do so out of the box. This article describes the changes necessary to make it possible for a server to talk TLS 1.2 if they are not already configured to do so: https://docs.microsoft.com/en-us/sccm/core/plan-design/security/enable-tls-1-2#update-windows-and-wi...
  2. This article describes additional changes to SCHANNEL-related registry entries that may be required: https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls#configuring-schannel-proto... 
    • Make sure the TLS 1.2 key is present, and that on its Client subkey, DisabledByDefault is set to (DWORD)0 and Enabled is set to (DWORD)1.
    • If the SSL 2.0, SSL 3.0 or TLS 1.0 keys are present, that on their Client subkeys, DisabledByDefault is set to (DWORD)1. 
  3. Because the Reporter is built on .NET, It is also necessary to tell the .NET framework that we expect to communicate via TLS 1.2. This article describes how to do that: https://docs.microsoft.com/en-us/sccm/core/plan-design/security/enable-tls-1-2#update-net-framework-...

SQL changes

Sometimes enabling TLS 1.2 requires less-secure protocols to be disabled. However, fresh installs of SQL Server did not support TLS 1.2 until SQL Server 2014, and sometimes disabling older protocols will render it impossible for the Server or Reporter to talk to SQL Server.


Additional Notes

  • The Carbon Black Collective Defense Cloud (CDC), which provides file trust and threat information and allows automatic updates of certain rules, requires a TLS 1.2 connection from the CB Protection Server. If you intend to connect to the CDC, use of .NET 4.6 (or later) is recommended. Earlier versions of .NET will default to pre-TLS-1.2 protocols, and this will prevent a CDC connection unless you disable those older protocols.
  • Disabling older TLS/SSL protocols may be a security issue for connections to other services from your App Control Server.

Related Content


Labels (1)
Labels:
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
CB_Support
Creation Date:
‎09-09-2020
Views:
1783
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.