Archive

Posts Tagged ‘TLSv1.0’

Obsolete Secure Communications Protocol Supported – InfoSec – Fix

December 9, 2019 Leave a comment

Last week our web application (i.e., ADX portal website) underwent Penetration testing (Also called ‘Ethical hacking’) and we got following recommendation:

Disable all affected protocols identified above. If possible, implement TLSv1.3, or TLSv1.2 otherwise.

Reason:

  • In our application’s web server (IIS), TLSv1.0 and TLSv1.1 communication protocols were enabled.
  • TLSv1.0 and TLSv1.1 were deprecated in major browsers as of Q1 2019 and will be disabled completely in early 2020.

Fix:

  • We’ve used IIS Crypto tool to disable TLSv1.0 and TLSv1.1 protocols.
  • IIS Crypto is a free tool that gives administrators the ability to enable or disable protocols, ciphers, hashes and key exchange algorithms on Windows Servers.
  • Download the IIS Crypto GUI tool in your windows server where your application is hosted.

IIS Crypto_1

  • Open the tool and un-check TLSv1.0 and TLSv1.1 options.

IIS Crypto

  • You must restart the server for changes to take effect.

🙂

 

Categories: ADX, Misc Tags: , ,