Synergetic databases and applications require adequate security configuration through multiple layers of the environment. The objective of this document is to provide guidelines to hardening a Microsoft Internet Information Services (IIS) server.

Whilst all care has been taken in preparing this guide, Education Horizons Group does not warrant that the contents of this guide (i.e. information, recommendations, opinions or conclusions contained in this guide (“Information”)) is accurate, reliable, complete or current. The Information does not purport to contain all matters relevant to the usage of Synergetic software. The Information has been prepared on the basis of circumstances and technology current as at the date of the report and care should be taken by the School to determine if circumstances have changed in a manner which would affect the Information. To the extent permissible by law, Education Horizons Group shall not be liable for any errors, omissions, defects or misrepresentations in the Information or for any loss or damage suffered by persons who use or rely on such Information (including by reasons of negligence, negligent misstatement or otherwise). If any law prohibits the exclusion of such liability, Synergetic limits its liability to the re-supply of the Information, provided that such limitation is permitted by law and is fair and reasonable.

The recommendations herein provided are based on the Center for Internet Security (CIS) hardening guides and benchmarks for IIS 10 running on Windows Server 2016 or above. Each recommendation should be considered with reference to the specific environment requirements. Changes may result in web applications not functioning as expected, particularly where their configuration differs from the base products.

A server level backup as well as a backup of the individual configuration files should be taken prior to making any changes.

The server will need to be rebooted after the changes have been made

All commands supplied are to be run in an elevated command shell or elevated PowerShell (PowerShell v5 only) as required.

Basic configurations

Ensure web content is on a non-system partition

Web resources published through IIS are mapped, via Virtual Directories, to physical locations on disk. CIS recommended to map all Virtual Directories to a non-system disk volume. This may prevent system failure if the drive capacity becomes limited.

Audit

In elevated command prompt run: %systemroot%\system32\inetsrv\appcmd list vdir

Remediation

See the recommended guide https://domainwebcenter.com/move-inetpub-directory/ . This is offered as a guide only. Note that all scripts and commands move to the "X" drive. Moving the files will require ownership be taken of the folders.

Change application mappings and virtual directories to reflect the new location

Ensure 'host headers' are on all sites

For all non HTTPS sites set host headers.

Not applicable for Synergetic sites which should all be HTTPS

Ensure 'directory browsing' is set to disabled

On a production server directory browsing should be disabled at the server level

Audit

In elevated command prompt run: %systemroot%\system32\inetsrv\appcmd list config /section:directoryBrowse

If disabled then the response is

<system.webServer> 
  <directoryBrowse enabled="false" /> 
</system.webServer>

Remediation

In elevated command prompt run: %systemroot%\system32\inetsrv\appcmd set config /section:directoryBrowse /enabled:false

Ensure 'application pool identity' is configured for all application pools

Setting Application Pools to use unique least privilege identities such as ApplicationPoolIdentity reduces the potential harm the identity could cause should the application ever become compromised.

Audit

Open IIS Manager
Open the Application Pools node underneath the machine node; select Application Pool to be verified
Right click the Application Pool and select Advanced Settings…
Under the Process Model section, locate the Identity option and ensure that ApplicationPoolIdentity set

Ensure 'unique application pools' is set for sites

Application Pools to be run under unique accounts without the need to create and manage local or domain accounts. It is recommended that all Sites run under unique, dedicated Application Pools

Note, The Synweb application pool is shared between Synweb and Builder. Builder is a sub site of Synweb and needs to run in the same application pool.

Audit

In elevated command prompt run: %systemroot%\system32\inetsrv\appcmd list app

Each site should have its own unique application pool. Synweb and Builder share an application pool. This is by design.

Remediation

Create a unique application pool per application and assign them to the application.

Ensure 'application pool identity' is configured for anonymous user identity

Configure the anonymous user identity for application pool identity

Audit

Open the file %systemroot%\system32\inetsrv\config\applicationHosts.config in an elevated editor such as Notepad or Notepad++. Verify the username attribute of the anonymousAuthentication tag is a blank string

<system.webServer> 
 <security> 
  <authentication> 
   <anonymousAuthentication userName="" /> 
  </authentication> 
 </security> 
</system.webServer>

Remediation

For the server, and each application in the server

Open the IIS Manager GUI and navigate to the desired server, site, or application
In Features View, find and double-click the Authentication icon
Select the Anonymous Authentication option and in the Actions pane select Edit...
Choose Application pool identity in the modal window and then press the OK button

Ensure WebDav feature is not installed

WebDAV is an extension to the HTTP protocol which allows clients to create, move, and delete files and resources on the web server. This functionality is available in IIS when the WebDAV feature is enabled.

Audit

Examine the installed IIS features

Remediation

Remove the feature

Configure Authentication and Authorization

Ensure 'forms authentication' require SSL and use cookies

Forms-based authentication can pass credentials across the network in clear text. It is therefore imperative that the traffic between client and server be encrypted using SSL

Note: Synergetic products do not use forms authentication.

Audit

In elevated command prompt run %systemroot%\system32\inetsrv\appcmd list config -section:system.web/authentication

Verify the tags : <forms requireSSL="true" /> , cookieless="UseCookies", and protection="All"

<system.web> 
  <authentication> 
    <forms cookieless="UseCookies" protection="All" requireSSL="true" /> 
  </authentication> 
</system.web>

Remediation

For the server, and every application that uses forms authentication

Open IIS Manager and navigate to the appropriate tier
In Features View, double-click Authentication
On the Authentication page, select Forms Authentication
In the Actions pane, click Edit
In the cookie settings section
1. set mode to ‘Use cookies’
2. set protection mode to ‘Encryption and validation’. If it was already set, change to none, then change back to ‘Encryption and validation’ to force the change
3. check ‘Requires SSL’
click OK

Ensure transport layer security for 'basic authentication' is configured

Basic Authentication can pass credentials across the network in clear text. It is therefore imperative that the traffic between client and server be encrypted

Note: Synergetic does not (by default) use Basic authentication. However, some sites may have added this option for local operational reasons.

Audit

For each website and web application run the command, replacing the <website name> parameter. In elevated PowerShell run: Get-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -location '<website name>' -filter 'system.webServer/security/access' -name 'sslFlags'

Value should be zero.

Remediation

Open IIS Manager
In the Connections pane on the left, select the server to be configured
In the Connections pane, expand the server, then expand Sites and select the site to be configured
In the Actions pane, click Bindings; the Site Bindings dialog appears
If an HTTPS binding is available, click Close and see below "To require SSL"
If no HTTPS binding is visible, perform the following steps

To add an HTTPS binding:

In the Site Bindings dialog, click Add; the Add Site Binding dialog appears
Under Type, select https
Under SSL certificate, select an X.509 certificate
Click OK, then close

To require SSL:

In Features View, double-click SSL Settings
On the SSL Settings page, select Require SSL.
In the Actions pane, click Apply

Ensure 'passwordFormat' is not set to clear

The element allows optional definitions of name and password for IIS Manager User accounts within the configuration file. Forms based authentication also uses these elements to define the users. IIS Manager Users can use the administration interface to connect to sites and applications in which they've been granted authorization. Note that the element only applies when the default provider, ConfigurationAuthenticationProvider, is configured as the authentication provider. It is recommended that passwordFormat be set to a value other than Clear, such as SHA1

Audit

For each website and web application run the command, replacing the <website name> parameter. In elevated PowerShell run: Get-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST/<website name>' -filter 'system.web/authentication/forms/credentials' -name 'passwordFormat'

Remediation

Authentication mode is configurable at the machine.config, root-level web.config, or application-level web.config:

Locate and open the configuration file where the credentials are stored
Find the <credentials> element
If present, ensure passwordFormat is not set to Clear
Change passwordFormat to SHA1

The clear text passwords will need to be replaced with the appropriate hashed version.

ASP.NET configuration recommendations

Enable HTTP Strict Transport Security

HTTP Strict-Transport response header is used to ensure the website is accessed soley over HTTPS. This mitigates the risk for communitation to be intercepted.

Remediation

In IIS configuration manager, select the server
Navigate to HTTP Response Headers
In the Response Headers choose Add
Enter the values:
1. Name: Strict-Transport-Security
2. Value: max-age=63072000; includeSubDomains; preload

This sets the HTTP strict transport protocol with a maximum age of 2 years.

Consider setting 'deployment method retail'

The switch is intended for use by production IIS servers. This switch is used to help applications run with the best possible performance and least possible security information leakages by disabling the application's ability to generate trace output on a page, disabling the ability to display detailed error messages to end users, and disabling the debug switch.

Note: Setting this switch will impact all applications using that version of the .NET framework. This may have undesired effects.

Remediation

Authentication mode is configurable at the machine.config, root-level web.config, or application-level web.config:

Open the machine.config file located in: %systemroot%\Microsoft.NET\Framework<bitness (if not the 32bit)>\<framework version>\CONFIG
Add the line <deployment retail="true" /> within the <system.web> section
If systems are 64-bit, do the same for the machine.config located in: %systemroot%\Microsoft.NET\Framework<bitness (if not the 32bit)>\<framework version>\CONFIG

Ensure 'debug' is turned off

This is a defence in depth recommendation due to the in the machine.config configuration file overriding any debug settings. It is recommended that debugging still be turned off

Audit

In IIS Manager browse to the server and each web application
In Features View, double click .NET Compilation
In the behaviour section, ensure Debug is set to false

Remediation

Set debug to false for each application and the server

Disable compilation debugging

This is a defence in depth strategy. In a production server, debug messages should not be passed on.

This settings is managed in the machine.config file, and in each of the application web.config files.

Audit

Open the relevant config file.
Navigate to the xml node of compilation in the system.web node
There may be other attributes in the tag

If the debug attribute is missing or set to true then debugging is enabled

Remediation

Add the debug attribute or set it to false.

The machine.config may not have the compilation tag. In this case add <compilation debug="false" /> in the system.web node

Ensure custom error messages are not off

When an ASP.NET application fails and causes an HTTP/1.x 500 Internal Server Error, or a feature configuration (such as Request Filtering) prevents a page from being displayed, an error message will be generated. Administrators can choose whether the application should display a friendly message to the client, detailed error message to the client, or detailed error message to localhost only. The tag in the web.config has three modes:

On: Specifies that custom errors are enabled. If no defaultRedirect attribute is specified, users see a generic error. The custom errors are shown to the remote clients and to the local host
Off: Specifies that custom errors are disabled. The detailed ASP.NET errors are shown to the remote clients and to the local host
RemoteOnly: Specifies that custom errors are shown only to the remote clients, and that ASP.NET errors are shown to the local host. This is the default value

This is a defence in depth recommendation due to the in the machine.config file overriding any settings for customErrors to be turned Off. It is recommended that customErrors still be turned to On or RemoteOnly.

Audit

Both the inetpub and the server IIS settings should be checked. In elevated Powershell run the commands:

Get-ChildItem -Path "<Inetpub folder location>" -Filter *.config -recurse | select-string -Pattern '<customerror'
Get-ChildItem -Path "$ENV:SystemRoot\system32\inetsrv" -Filter *.config -recurse | select-string -Pattern '<customerror'

This will give a list of all the CustomError properties for each application. Verify there are no mode=’off’

Remediation

In IIS Configuration manager, for the server and each application

In the Features view double client .NET error pages
In the actions pane, click Edit Feature Settings
In the Modal, choose On or Remote for mode settings
Click OK

Ensure IIS HTTP detailed errors are hidden from displaying remotely

A Web site's error pages are often set to show detailed error information for troubleshooting purposes during testing or initial deployment. To prevent unauthorized users from viewing this privileged information, detailed error pages must not be seen by remote users.

Each of the Synergetic applications use different settings for the error pages. For those that have pages defined, the settings should be ‘Custom error pages’. For those that do not have custom error pages defined (that is either blank, or all set to \inetpub\custerr\<LANGUAGE-TAG>\) the settings should be ‘Detailed errors for local requests and custom errors for remote requests’

Audit

For the server and each web site, in IIS configuration manager

In the feature view double click Error Pages
In the actions pane, click Edit Feature Settings
Verify the setting is correct for the site

Remediation

Set the custom error level appropriate to the site. By default, the log path is blank, but can be used to specify the location of a log file that will record the errors.

Ensure ASP.NET stack tracing is not enabled

The trace element configures the ASP.NET code tracing service that controls how trace results are gathered, stored, and displayed. When tracing is enabled, each page request generates trace messages that can be appended to the page output or stored in an application trace log.

This is a defence in depth recommendation due to the in the machine.config file overriding any settings for ASP.NET stack tracing that are left on. It is recommended that ASP.NET stack tracing still be turned off.

Audit

Tracing is configurable at numerous levels:

Machine.config. By default in %systemroot%\Microsoft.NET\Framework\[version]\config\machine.config or %systemroot%\Microsoft.NET\Framework64\[version]\config\machine.config
Root-level web.config. By default in the inetpub
Application-level web.config. By default in the root folder of the application
Virtual or physical directory-level web.config
Individual ASP.Net page level

Note. Config files only exist if default configurations for applications have been changed.-

Verify ASP.NET tracing is not turned on, via a per-page basis in the application.

Ensure the trace attribute is not enabled:

Trace="true"

On an application basis like in the web.config ensure that tracing is not enabled like:

<configuration> 
   <system.web> 
     <trace enabled="true">

Remediation

Ensure <deployment retail="true" /> is enabled in the machine.config.
Remove all attribute references to ASP.NET tracing by deleting the trace and trace enable attributes.

Per Page:

Remove any references to: Trace="true"

Per Application:

<configuration> 
   <system.web> 
      <trace enabled="true"> 
   </system.web> 
</configuration>

Ensure X-Powered-By Header is removed

The x-powered-by headers may specify the underlying technology used by an application.

Attackers can conduct reconnaissance on a website using these response headers.

This header could be used to target attacks for specific known vulnerabilities associated with the underlying technology

Audit

In elevated command prompt run: %systemroot%\system32\inetsrv\appcmd.exe list config -section:system.webServer/httpProtocol

Remediation

In elevated command prompt run: %systemroot%\system32\inetsrv\appcmd.exe set config -section:system.webServer/httpProtocol /-"customHeaders.[name='X-Powered-By']" /commit:apphost

Ensure Server Header is removed

The server header may specify the underlying technology used by an application. Attackers are able to conduct reconnaissance on a website using these response headers. This header could be used to target attacks for specific known vulnerabilities associated with the underlying technology. Removing this header will prevent targeting of your application for specific exploits by non-determined attackers.

Audit

In elevated command prompt run: %systemroot%\system32\inetsrv\appcmd.exe list config -section:system.webServer/security/requestFiltering

Remediation

In elevated PowerShell run: Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST/' -filter "system.webServer/security/requestFiltering" -name "removeServerHeader" -value "True"

or in IIS Configuration manager:

For each site:

In the HTTP Response pane
Ensure there are no responses for X-Powered-By

Ensure 'HTTP Trace Method' is disabled

The HTTP TRACE method returns the contents of client HTTP requests in the entity-body of the TRACE response. Attackers could leverage this behaviour to access sensitive information, such as authentication data or cookies, contained in the HTTP headers of the request

Audit

For the server and each application

Open Internet Information Services (IIS) Manager
In the Request Filtering pane, select the site, application, or directory to be configured
In the Home pane, double-click Request Filtering
In the Request Filtering pane, click the HTTP verbs tab
Verify the TRACE verb is denied

Remediation

Open IIS Manager
Select the server.
In the home page double click Request Filtering
Navigate to the HTTP Verbs tab
In the actions pane click Deny Verb
Enter TRACE and click OK
Verify that the TRACE element is not allowed (overridden) in each application

Transport encryption

Ensure SSLv2 is disabled

This protocol is not considered cryptographically secure

Audit

In elevated Powershell run the commands:

Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -name 'Enabled'

Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' -name 'Enabled'

Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -name 'DisabledByDefault'

Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' -name 'DisabledByDefault'

Remediation

In elevated Powershell run the commands:

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -Force | Out-Null

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force |Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -name 'DisabledByDefault' -value '1' -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' -name 'DisabledByDefault' -value '1' -PropertyType 'DWord' -Force | Out-Null

Ensure SSLv3 is Disabled

This protocol is not considered cryptographically secure. Disabling it is recommended

Audit

In elevated Powershell run the commands:

Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -name 'Enabled'

Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -name 'Enabled'

Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -name 'DisabledByDefault'

Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -name 'DisabledByDefault'

Remediation

In elevated Powershell run the commands:

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -Force | Out-Null

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -name 'DisabledByDefault' -value '1' -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -name 'DisabledByDefault' -value '1' -PropertyType 'DWord' -Force | Out-Null

Ensure TLS 1.0 is Disabled

The PCI Data Security Standard 3.1 recommends disabling "early TLS" along with SSL:

SSL and early TLS are not considered strong cryptography and cannot be used as a security control after June 30, 2016

Audit

In elevated Powershell run the commands:

Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'Enabled'

Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -name 'Enabled'

Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'DisabledByDefault'

Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -name 'DisabledByDefault'

Remediation

In elevated Powershell run the commands:

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Force | Out-Null

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'DisabledByDefault' -value '1' -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -name 'DisabledByDefault' -value '1' -PropertyType 'DWord' -Force | Out-Null

Ensure TLS 1.1 is Disabled

TLS 1.1 is required for backward compatibility. Ensure you fully test your application to ensure that backwards compatibility is not needed. If it is, build in exceptions as necessary for backwards compatibility.

Audit

In elevated Powershell run the commands:

Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'Enabled'

Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'Enabled'

Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'DisabledByDefault'

Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'DisabledByDefault'

Remediation

In elevated Powershell run the commands:

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -Force | Out-Null

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'DisabledByDefault' -value '1' -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'DisabledByDefault' -value '1' -PropertyType 'DWord' -Force | Out-Null

Ensure TLS 1.2 is Enabled

TLS 1.2 is the most recent and mature protocol for protecting the confidentiality and integrity of HTTP traffic.

Audit

In elevated Powershell run the commands:

Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'Enabled'

Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'DisabledByDefault'

Remediation

In elevated Powershell run the commands:

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'Enabled' -value '1' -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'DisabledByDefault' -value '0' -PropertyType 'DWord' -Force | Out-Null

Ensure NULL Cipher Suites is Disabled

The NULL cipher does not provide data confidentiality or integrity. It is recommended that the NULL cipher be disabled

Audit

In elevated Powershell run the commands:

Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL' -name 'Enabled'

Remediation

In elevated Powershell run the commands:

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null

Ensure DES Cipher Suites is Disabled

DES is a weak symmetric-key cipher. It is recommended that it be disabled.

Audit

In elevated Powershell run the commands:

Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56' -name 'Enabled'

Remediation

In elevated Powershell run the commands:

(Get-Item 'HKLM:\').OpenSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers', $true).CreateSubKey('DES 56/56')

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null

Ensure RC4 Cipher Suites is Disabled

RC4 is a stream cipher that has known practical attacks. It is recommended that RC4 be disabled. The only RC4 cipher enabled by default on Server 2012 and 2012 R2 is RC4 128/128

Audit

In elevated Powershell run the commands:

Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128' -name 'Enabled'

Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128' -name 'Enabled'

Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128' -name 'Enabled'

Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128' -name 'Enabled'

Remediation

In elevated Powershell run the commands:

(Get-Item 'HKLM:\').OpenSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers', $true).CreateSubKey('RC4 40/128')

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null

(Get-Item 'HKLM:\').OpenSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers', $true).CreateSubKey('RC4 56/128')

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null

(Get-Item 'HKLM:\').OpenSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers', $true).CreateSubKey('RC4 64/128')

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null

(Get-Item 'HKLM:\').OpenSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers', $true).CreateSubKey('RC4 128/128')

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null

Ensure AES 256/256 Cipher Suite is Enabled

AES 256/256 is the most recent and mature cipher suite for protecting the confidentiality and integrity of HTTP traffic. Enabling AES 256/256 is recommended. This is enabled by default on Server 2012 and 2012 R2.

Audit

In elevated Powershell run the commands:

Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 256/256' -name 'Enabled'

Remediation

In elevated Powershell run the commands:

(Get-Item 'HKLM:\').OpenSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers', $true).CreateSubKey('AES 256/256')

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 256/256' -name 'Enabled' -value '1' -PropertyType 'DWord' -Force | Out-Null

Ensure Synergetic Crystal Reports is set to use TLS 1.2

The Synergetic Crystal Reports driver supports both TLS 1.0 and TLS 1.2. By default, it is set to TLS 1.0

Note: When TLS 1.2 is enabled, the Synergetic Web applications utilise a particular ODBC database driver called "SQL Server Native Client 11.0" (SQLNCLI11.DLL). If this driver is not present on the web server, this needs to be installed so that the report can establish a connection to the database server. You can check if this is installed by opening the ODBC Data Sources program on the server and select the Drivers tab. If it is not installed, it can be downloaded from this location: https://www.microsoft.com/en-us/download/details.aspx?id=50402

Audit

In Synergetic Windows Client navigate to System | Configuration File Maintenance
Search for CrystalReports | Driver | SupportTLS1.0Flag

The value needs to be false to ensure TLS 1.2 is used

Remediation

Remove the tick from the value checkbox and save.

Browser not supported