Synergetic databases and applications require adequate security configuration through multiple layers of the environment. The objective of this document is to provide guidelines to hardening a Microsoft Internet Information Services (IIS) server.

Whilst all care has been taken in preparing this guide, Education Horizons Group does not warrant that the contents of this guide (i.e. information, recommendations, opinions or conclusions contained in this guide (“Information”)) is accurate, reliable, complete or current. The Information does not purport to contain all matters relevant to the usage of Synergetic software. The Information has been prepared on the basis of circumstances and technology current as at the date of the report and care should be taken by the School to determine if circumstances have changed in a manner which would affect the Information. To the extent permissible by law, Education Horizons Group shall not be liable for any errors, omissions, defects or misrepresentations in the Information or for any loss or damage suffered by persons who use or rely on such Information (including by reasons of negligence, negligent misstatement or otherwise). If any law prohibits the exclusion of such liability, Synergetic limits its liability to the re-supply of the Information, provided that such limitation is permitted by law and is fair and reasonable.

The recommendations herein provided are based on the Center for Internet Security (CIS) hardening guides and benchmarks for IIS 10 running on Windows Server 2016 or above. Each recommendation should be considered with reference to the specific environment requirements. Changes may result in web applications not functioning as expected, particularly where their configuration differs from the base products.

A server level backup as well as a backup of the individual configuration files should be taken prior to making any changes. 

The server will need to be rebooted after the changes have been made

All commands supplied are to be run in an elevated command shell or elevated PowerShell (PowerShell v5 only) as required.

Basic configurations

Ensure web content is on a non-system partition

Web resources published through IIS are mapped, via Virtual Directories, to physical locations on disk. CIS recommended to map all Virtual Directories to a non-system disk volume. This may prevent system failure if the drive capacity becomes limited.

Audit

In elevated command prompt run: %systemroot%\system32\inetsrv\appcmd list vdir 

Remediation

See the recommended guide https://domainwebcenter.com/move-inetpub-directory/ . This is offered as a guide only. Note that all scripts and commands move to the "X" drive. Moving the files will require ownership be taken of the folders.

Change application mappings and virtual directories to reflect the new location 

Ensure 'host headers' are on all sites

For all non HTTPS sites set host headers. 

Not applicable for Synergetic sites which should all be HTTPS 

Ensure 'directory browsing' is set to disabled 

On a production server directory browsing should be disabled at the server level 

Audit

In elevated command prompt run: %systemroot%\system32\inetsrv\appcmd list config /section:directoryBrowse

If disabled then the response is  

<system.webServer> 
  <directoryBrowse enabled="false" /> 
</system.webServer> 

Remediation

In elevated command prompt run: %systemroot%\system32\inetsrv\appcmd set config /section:directoryBrowse /enabled:false 

Ensure 'application pool identity' is configured for all application pools 

Setting Application Pools to use unique least privilege identities such as ApplicationPoolIdentity reduces the potential harm the identity could cause should the application ever become compromised. 

Audit

1. Open IIS Manager 
2. Open the Application Pools node underneath the machine node; select Application Pool to be verified 
3. Right click the Application Pool and select Advanced Settings… 
4.  Under the Process Model section, locate the Identity option and ensure that ApplicationPoolIdentity set 

Ensure 'unique application pools' is set for sites 

Application Pools to be run under unique accounts without the need to create and manage local or domain accounts. It is recommended that all Sites run under unique, dedicated Application Pools 

Note, The Synweb application pool is shared between Synweb and Builder. Builder is a sub site of Synweb and needs to run in the same application pool. 

Audit

In elevated command prompt run: %systemroot%\system32\inetsrv\appcmd list app  

Each site should have its own unique application pool. Synweb and Builder share an application pool. This is by design.

Remediation

Create a unique application pool per application and assign them to the application. 

Ensure 'application pool identity' is configured for anonymous user identity 

Configure the anonymous user identity for application pool identity 

Audit 

Open the file %systemroot%\system32\inetsrv\config\applicationHosts.config in an elevated editor such as Notepad or Notepad++. Verify the username attribute of the anonymousAuthentication tag is a blank string

<system.webServer> 
 <security> 
  <authentication> 
   <anonymousAuthentication userName="" /> 
  </authentication> 
 </security> 
</system.webServer> 

Remediation 

For the server, and each application in the server 

1. Open the IIS Manager GUI and navigate to the desired server, site, or application 
2. In Features View, find and double-click the Authentication icon 
3. Select the Anonymous Authentication option and in the Actions pane select Edit... 
4. Choose Application pool identity in the modal window and then press the OK button 

Ensure WebDav feature is not installed 

WebDAV is an extension to the HTTP protocol which allows clients to create, move, and delete files and resources on the web server. This functionality is available in IIS when the WebDAV feature is enabled. 

Audit 

Examine the installed IIS features 

Remediation 

Remove the feature 

Configure Authentication and Authorization

Ensure 'forms authentication' require SSL and use cookies 

Forms-based authentication can pass credentials across the network in clear text. It is therefore imperative that the traffic between client and server be encrypted using SSL 

Note: Synergetic products do not use forms authentication. 

Audit

In elevated command prompt run %systemroot%\system32\inetsrv\appcmd list config -section:system.web/authentication 

Verify the tags : <forms requireSSL="true" /> , cookieless="UseCookies", and protection="All" 

<system.web> 
  <authentication> 
    <forms cookieless="UseCookies" protection="All" requireSSL="true" /> 
  </authentication> 
</system.web> 

Remediation 

For the server, and every application that uses forms authentication 

1. Open IIS Manager and navigate to the appropriate tier
2. In Features View, double-click Authentication
3. On the Authentication page, select Forms Authentication
4. In the Actions pane, click Edit
5. In the cookie settings section 
   1. set mode to ‘Use cookies’ 
   2. set protection mode to ‘Encryption and validation’. If it was already set, change to none, then change back to ‘Encryption and validation’ to force the change
   3. check ‘Requires SSL’
6. click OK 

Ensure transport layer security for 'basic authentication' is configured 

Basic Authentication can pass credentials across the network in clear text. It is therefore imperative that the traffic between client and server be encrypted 

Note: Synergetic does not (by default) use Basic authentication. However, some sites may have added this option for local operational reasons. 

Audit 

For each website and web application run the command, replacing the <website name> parameter. In elevated PowerShell run: Get-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -location '<website name>' -filter 'system.webServer/security/access' -name 'sslFlags' 

Value should be zero.

Remediation 

1. Open IIS Manager
2. In the Connections pane on the left, select the server to be configured
3. In the Connections pane, expand the server, then expand Sites and select the site to be configured
4. In the Actions pane, click Bindings; the Site Bindings dialog appears
5. If an HTTPS binding is available, click Close and see below "To require SSL"
6. If no HTTPS binding is visible, perform the following steps 

To add an HTTPS binding: 

1. In the Site Bindings dialog, click Add; the Add Site Binding dialog appears
2. Under Type, select https
3. Under SSL certificate, select an X.509 certificate
4. Click OK, then close 

To require SSL: 

1. In Features View, double-click SSL Settings
2. On the SSL Settings page, select Require SSL.
3. In the Actions pane, click Apply 

Ensure 'passwordFormat' is not set to clear 

The element allows optional definitions of name and password for IIS Manager User accounts within the configuration file. Forms based authentication also uses these elements to define the users. IIS Manager Users can use the administration interface to connect to sites and applications in which they've been granted authorization. Note that the element only applies when the default provider, ConfigurationAuthenticationProvider, is configured as the authentication provider. It is recommended that passwordFormat be set to a value other than Clear, such as SHA1 

Audit 

For each website and web application run the command, replacing the <website name> parameter. In elevated PowerShell run: Get-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST/<website name>' -filter 'system.web/authentication/forms/credentials' -name 'passwordFormat' 

Remediation 

Authentication mode is configurable at the machine.config, root-level web.config, or application-level web.config: 

1. Locate and open the configuration file where the credentials are stored
2. Find the <credentials> element
3. If present, ensure passwordFormat is not set to Clear
4. Change passwordFormat to SHA1 

The clear text passwords will need to be replaced with the appropriate hashed version. 

ASP.NET configuration recommendations

Enable HTTP Strict Transport Security

HTTP Strict-Transport response header is used to ensure the website is accessed soley over HTTPS. This mitigates the risk for communitation to be intercepted.

Remediation

1. In IIS configuration manager, select the server
2. Navigate to HTTP Response Headers
3. In the Response Headers choose Add
4. Enter the values:
   1. Name: Strict-Transport-Security
   2. Value:  max-age=63072000; includeSubDomains; preload

This sets the HTTP strict transport protocol with a maximum age of 2 years.

Consider setting 'deployment method retail' 

The switch is intended for use by production IIS servers. This switch is used to help applications run with the best possible performance and least possible security information leakages by disabling the application's ability to generate trace output on a page, disabling the ability to display detailed error messages to end users, and disabling the debug switch. 

Note: Setting this switch will impact all applications using that version of the .NET framework. This may have undesired effects. 

Remediation 

Authentication mode is configurable at the machine.config, root-level web.config, or application-level web.config: 

1. Open the machine.config file located in:  %systemroot%\Microsoft.NET\Framework<bitness (if not the 32bit)>\<framework version>\CONFIG 
2.  Add the line <deployment retail="true" /> within the <system.web> section 
3. If systems are 64-bit, do the same for the machine.config located in: %systemroot%\Microsoft.NET\Framework<bitness (if not the 32bit)>\<framework version>\CONFIG

Ensure 'debug' is turned off 

This is a defence in depth recommendation due to the in the machine.config configuration file overriding any debug settings. It is recommended that debugging still be turned off  

Audit 

1. In IIS Manager browse to the server and each web application
2. In Features View, double click .NET Compilation
3. In the behaviour section, ensure Debug is set to false  
   

Remediation 

Set debug to false for each application and the server 

Disable compilation debugging

This is a defence in depth strategy. In a production server, debug messages should not be passed on. 

This settings is managed in the machine.config file, and in each of the application web.config files.

Audit

1. Open the relevant config file. 
2. Navigate to the xml node of compilation in the system.web node
3. There may be other attributes in the tag

If the debug attribute is missing or set to true then debugging is enabled

Remediation

Add the debug attribute or set it to false.

The machine.config may not have the compilation tag. In this case add <compilation debug="false" /> in the system.web node

Ensure custom error messages are not off 

When an ASP.NET application fails and causes an HTTP/1.x 500 Internal Server Error, or a feature configuration (such as Request Filtering) prevents a page from being displayed, an error message will be generated. Administrators can choose whether the application should display a friendly message to the client, detailed error message to the client, or detailed error message to localhost only. The tag in the web.config has three modes:  

• On: Specifies that custom errors are enabled. If no defaultRedirect attribute is specified, users see a generic error. The custom errors are shown to the remote clients and to the local host  
• Off: Specifies that custom errors are disabled. The detailed ASP.NET errors are shown to the remote clients and to the local host  
• RemoteOnly: Specifies that custom errors are shown only to the remote clients, and that ASP.NET errors are shown to the local host. This is the default value  

This is a defence in depth recommendation due to the in the machine.config file overriding any settings for customErrors to be turned Off. It is recommended that customErrors still be turned to On or RemoteOnly.  

Audit 

Both the inetpub and the server IIS settings should be checked. In elevated Powershell run the commands:

• Get-ChildItem -Path "<Inetpub folder location>" -Filter *.config -recurse | select-string -Pattern '<customerror' 
• Get-ChildItem -Path "$ENV:SystemRoot\system32\inetsrv" -Filter *.config -recurse | select-string -Pattern '<customerror' 

This will give a list of all the CustomError properties for each application.  Verify there are no mode=’off’ 

Remediation 

In IIS Configuration manager, for the server and each application 

1. In the Features view double client .NET error pages
2. In the actions pane, click Edit Feature Settings
3. In the Modal, choose On or Remote for mode settings
4. Click OK 

Ensure IIS HTTP detailed errors are hidden from displaying remotely 

A Web site's error pages are often set to show detailed error information for troubleshooting purposes during testing or initial deployment. To prevent unauthorized users from viewing this privileged information, detailed error pages must not be seen by remote users. 

Each of the Synergetic applications use different settings for the error pages. For those that have pages defined, the settings should be ‘Custom error pages’. For those that do not have custom error pages defined (that is either blank, or all set to \inetpub\custerr\<LANGUAGE-TAG>\) the settings should be ‘Detailed errors for local requests and custom errors for remote requests’ 

Audit 

For the server and each web site, in IIS configuration manager 

1. In the feature view double click Error Pages
2. In the actions pane, click Edit Feature Settings
3. Verify the setting is correct for the site 

Remediation 

Set the custom error level appropriate to the site. By default, the log path is blank, but can be used to specify the location of a log file that will record the errors.

Ensure ASP.NET stack tracing is not enabled 

The trace element configures the ASP.NET code tracing service that controls how trace results are gathered, stored, and displayed. When tracing is enabled, each page request generates trace messages that can be appended to the page output or stored in an application trace log.  

This is a defence in depth recommendation due to the in the machine.config file overriding any settings for ASP.NET stack tracing that are left on. It is recommended that ASP.NET stack tracing still be turned off. 

Audit 

Tracing is configurable at numerous levels: 

1. Machine.config. By default in %systemroot%\Microsoft.NET\Framework\[version]\config\machine.config or %systemroot%\Microsoft.NET\Framework64\[version]\config\machine.config 
2. Root-level web.config. By default in the inetpub
3. Application-level web.config. By default in the root folder of the application
4. Virtual or physical directory-level web.config
5. Individual ASP.Net page level 

Note. Config files only exist if default configurations for applications have been changed.-

Verify ASP.NET tracing is not turned on, via a per-page basis in the application. 

Ensure the trace attribute is not enabled: 

Trace="true" 

On an application basis like in the web.config ensure that tracing is not enabled like: 

<configuration> 
   <system.web> 
     <trace enabled="true"> 

Remediation 

1. Ensure <deployment retail="true" /> is enabled in the machine.config.
2. Remove all attribute references to ASP.NET tracing by deleting the trace and trace enable attributes. 

Per Page: 

• Remove any references to: Trace="true" 

Per Application: 

<configuration> 
   <system.web> 
      <trace enabled="true"> 
   </system.web> 
</configuration> 

Ensure X-Powered-By Header is removed 

The x-powered-by headers may specify the underlying technology used by an application. 

Attackers can conduct reconnaissance on a website using these response headers. 

This header could be used to target attacks for specific known vulnerabilities associated with the underlying technology 

Audit 

In elevated command prompt run: %systemroot%\system32\inetsrv\appcmd.exe list config -section:system.webServer/httpProtocol 

Remediation 

In elevated command prompt run: %systemroot%\system32\inetsrv\appcmd.exe set config -section:system.webServer/httpProtocol /-"customHeaders.[name='X-Powered-By']" /commit:apphost

Ensure Server Header is removed 

The server header may specify the underlying technology used by an application. Attackers are able to conduct reconnaissance on a website using these response headers. This header could be used to target attacks for specific known vulnerabilities associated with the underlying technology. Removing this header will prevent targeting of your application for specific exploits by non-determined attackers. 

Audit 

In elevated command prompt run: %systemroot%\system32\inetsrv\appcmd.exe list config -section:system.webServer/security/requestFiltering 

Remediation 

In elevated PowerShell run: Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST/' -filter "system.webServer/security/requestFiltering" -name "removeServerHeader" -value "True" 

or in IIS Configuration manager:

For each site:

1. In the HTTP Response pane
2. Ensure there are no responses for X-Powered-By

Ensure 'HTTP Trace Method' is disabled 

The HTTP TRACE method returns the contents of client HTTP requests in the entity-body of the TRACE response. Attackers could leverage this behaviour to access sensitive information, such as authentication data or cookies, contained in the HTTP headers of the request 

Audit 

For the server and each application 

1. Open Internet Information Services (IIS) Manager
2. In the Request Filtering pane, select the site, application, or directory to be configured
3. In the Home pane, double-click Request Filtering
4. In the Request Filtering pane, click the HTTP verbs tab
5. Verify the TRACE verb is denied 
   

Remediation 

1. Open IIS Manager
2. Select the server.
3. In the home page double click Request Filtering
4. Navigate to the HTTP Verbs tab
5. In the actions pane click Deny Verb
6. Enter TRACE and click OK
7. Verify that the TRACE element is not allowed (overridden) in each application 

Transport encryption

Ensure SSLv2 is disabled

This protocol is not considered cryptographically secure

Audit

In elevated Powershell run the commands:

Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -name 'Enabled'

Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' -name 'Enabled'

Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -name 'DisabledByDefault'

Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' -name 'DisabledByDefault'

Remediation

In elevated Powershell run the commands:

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -Force | Out-Null

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force |Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -name 'DisabledByDefault' -value '1' -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' -name 'DisabledByDefault' -value '1' -PropertyType 'DWord' -Force | Out-Null

Ensure SSLv3 is Disabled

This protocol is not considered cryptographically secure. Disabling it is recommended

Audit

In elevated Powershell run the commands:

Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -name 'Enabled'

Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -name 'Enabled'

Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -name 'DisabledByDefault'

Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -name 'DisabledByDefault'

Remediation

In elevated Powershell run the commands:

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -Force | Out-Null

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -name 'DisabledByDefault' -value '1' -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -name 'DisabledByDefault' -value '1' -PropertyType 'DWord' -Force | Out-Null

Ensure TLS 1.0 is Disabled

The PCI Data Security Standard 3.1 recommends disabling "early TLS" along with SSL:

SSL and early TLS are not considered strong cryptography and cannot be used as a security control after June 30, 2016

Audit

In elevated Powershell run the commands:

Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'Enabled'

Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -name 'Enabled'

Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'DisabledByDefault'

Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -name 'DisabledByDefault'

Remediation

In elevated Powershell run the commands:

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Force | Out-Null

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'DisabledByDefault' -value '1' -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -name 'DisabledByDefault' -value '1' -PropertyType 'DWord' -Force | Out-Null

Ensure TLS 1.1 is Disabled

TLS 1.1 is required for backward compatibility. Ensure you fully test your application to ensure that backwards compatibility is not needed. If it is, build in exceptions as necessary for backwards compatibility.

Audit

In elevated Powershell run the commands:

Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'Enabled'

Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'Enabled'

Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'DisabledByDefault'

Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'DisabledByDefault'

Remediation

In elevated Powershell run the commands:

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -Force | Out-Null

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'DisabledByDefault' -value '1' -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'DisabledByDefault' -value '1' -PropertyType 'DWord' -Force | Out-Null

Ensure TLS 1.2 is Enabled

TLS 1.2 is the most recent and mature protocol for protecting the confidentiality and integrity of HTTP traffic.

Audit

In elevated Powershell run the commands:

Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'Enabled'

Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'DisabledByDefault'

Remediation

In elevated Powershell run the commands:

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'Enabled' -value '1' -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'DisabledByDefault' -value '0' -PropertyType 'DWord' -Force | Out-Null

Ensure NULL Cipher Suites is Disabled

The NULL cipher does not provide data confidentiality or integrity. It is recommended that the NULL cipher be disabled

Audit

In elevated Powershell run the commands:

Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL' -name 'Enabled'

Remediation

In elevated Powershell run the commands:

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null

Ensure DES Cipher Suites is Disabled

DES is a weak symmetric-key cipher. It is recommended that it be disabled.

Audit

In elevated Powershell run the commands:

Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56' -name 'Enabled'

Remediation

In elevated Powershell run the commands:

(Get-Item 'HKLM:\').OpenSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers', $true).CreateSubKey('DES 56/56')

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null

Ensure RC4 Cipher Suites is Disabled

RC4 is a stream cipher that has known practical attacks. It is recommended that RC4 be disabled. The only RC4 cipher enabled by default on Server 2012 and 2012 R2 is RC4 128/128

Audit

In elevated Powershell run the commands:

Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128' -name 'Enabled'

Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128' -name 'Enabled'

Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128' -name 'Enabled'

Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128' -name 'Enabled'

Remediation

In elevated Powershell run the commands:

(Get-Item 'HKLM:\').OpenSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers', $true).CreateSubKey('RC4 40/128')

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null

(Get-Item 'HKLM:\').OpenSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers', $true).CreateSubKey('RC4 56/128')

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null

(Get-Item 'HKLM:\').OpenSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers', $true).CreateSubKey('RC4 64/128')

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null

(Get-Item 'HKLM:\').OpenSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers', $true).CreateSubKey('RC4 128/128')

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null

Ensure AES 256/256 Cipher Suite is Enabled

AES 256/256 is the most recent and mature cipher suite for protecting the confidentiality and integrity of HTTP traffic. Enabling AES 256/256 is recommended. This is enabled by default on Server 2012 and 2012 R2.

Audit

In elevated Powershell run the commands:

Get-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 256/256' -name 'Enabled'

Remediation

In elevated Powershell run the commands:

(Get-Item 'HKLM:\').OpenSubKey('SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers', $true).CreateSubKey('AES 256/256')

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 256/256' -name 'Enabled' -value '1' -PropertyType 'DWord' -Force | Out-Null

Ensure Synergetic Crystal Reports is set to use TLS 1.2

The Synergetic Crystal Reports driver supports both TLS 1.0 and TLS 1.2. By default, it is set to TLS 1.0

Note:  When TLS 1.2 is enabled, the Synergetic Web applications utilise a particular ODBC database driver called "SQL Server Native Client 11.0" (SQLNCLI11.DLL).  If this driver is not present on the web server, this needs to be installed so that the report can establish a connection to the database server.  You can check if this is installed by opening the ODBC Data Sources program on the server and select the Drivers tab.  If it is not installed, it can be downloaded from this location: https://www.microsoft.com/en-us/download/details.aspx?id=50402

Audit

1. In Synergetic Windows Client navigate to System | Configuration File Maintenance
2. Search for CrystalReports | Driver | SupportTLS1.0Flag

The value needs to be false to ensure TLS 1.2 is used

Remediation

Remove the tick from the value checkbox and save.