logo

The ConnectWise Control forum has moved to ConnectWise University! This forum has been locked and is in read-only mode. Click here for instructions on how to access the new forum.

Welcome Guest! You can not login or register.

Notification

Icon
Error

Options
Go to last post Go to first unread
rserbia  
#1 Posted : Monday, June 25, 2018 3:55:02 PM(UTC)
rserbia


Rank: Guest

Joined: 6/25/2018(UTC)
Posts: 1
Location: CT

I have a self hosted ConnectWise on Server 2012. To be Hipaa compliant I need to make sure TLS 1.0 is disbaled on screen-connect/connectwise. I used IISCrypto to disable all old ciphers and protocols and when I ran a scan a few months ago on SSL labs I had an A+. Now I have a B because TSL 1.0 shows enabled on my connectwise port. Security matrix scan also shows it being enabled but when I go to the registry and IIS crypto it shows disable. The only thing I did in the last few months was update connectwise. Did something changed? Is there a way to disable it via connectwise configs?

vexation  
#2 Posted : Sunday, July 1, 2018 9:11:31 AM(UTC)
vexation


Rank: Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 8/28/2012(UTC)
Posts: 34

Thanks: 7 times
Was thanked: 3 time(s) in 2 post(s)
Originally Posted by: rserbia Go to Quoted Post
I have a self hosted ConnectWise on Server 2012. To be Hipaa compliant I need to make sure TLS 1.0 is disbaled on screen-connect/connectwise. I used IISCrypto to disable all old ciphers and protocols and when I ran a scan a few months ago on SSL labs I had an A+. Now I have a B because TSL 1.0 shows enabled on my connectwise port. Security matrix scan also shows it being enabled but when I go to the registry and IIS crypto it shows disable. The only thing I did in the last few months was update connectwise. Did something changed? Is there a way to disable it via connectwise configs?


I still get an A rating on SSL Labs with TLS 1.0 enabled.

SSL Labs did recently reclassify a bunch of stuff which make it a lot harder to get an A+ (if memory serves you have to be TLS 1.2 only and also be using a 4096 bit cert with SHA-256 roots only)

Getting an A rating however should be really easy.

I normally use the scripts at https://www.hass.de/cont...rward-secrecy-and-tls-12 to quickly harden everything. Please note that you should now be disabling 3DES also so whichever script you decide to go for make sure you remove Triple DES 168 from the snippet below.

# Enable new secure ciphers.
# - RC4: It is recommended to disable RC4, but you may lock out WinXP/IE8 if you enforce this. This is a requirement for FIPS 140-2.
# - 3DES: It is recommended to disable these in near future. This is the last cipher supported by Windows XP.
# - Windows Vista and before 'Triple DES 168' was named 'Triple DES 168/168' per https://support.microsoft.com/en-us/kb/245030
$secureCiphers = @(
'AES 128/128',
'AES 256/256',
'Triple DES 168'
)

You might find that simply re-running IISCrypto and disabling the 3DES ciphers and rebooting will be enough to get your A rating again.

Of course it could be something else entirely!

Edited by user Sunday, July 1, 2018 9:12:50 AM(UTC)  | Reason: Not specified

Users browsing this topic
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.