Disabling TLS 1.0/1.1 in Skype for Business Server 2015–Part 2


May 24, 2018 Update: Deployment steps have been updated based on additional validation testing.  The steps have changed and now include pre-requisite registry keys.  Please review the following document carefully!

In Part 1 of our Disabling TLS 1.0 and 1.1 Support for On-Premises Skype for Business deployments blog we covered the pre-requisites and supportability scope. In this blog we will go over how to disable TLS 1.0 and 1.1 in your environments.

Please review Part 1 to ensure all your servers, clients and devices are in scope, and that you have a plan to address any gaps. Except where noted in Part 1, once TLS 1.0 and 1.1 are disabled out-of-scope servers, clients and devices will longer function properly, or at all. This may mean you need to pause and wait for updated guidance from Microsoft. Once you are satisfied you meet all requirements and have a plan to address gaps, proceed.

At a high level, this requires installing Skype for Business Server 2015 CU6 HF2, applying pre-requisite updates to .Net and SQL, deploying pre-requisite registry keys and finally a separate round of OS configuration updates, i.e. disabling TLS 1.0 and 1.1 via registry file import. It is critically important that you complete installation of all prerequisites, including Skype for Business Server 2015 CU6 HF2, prior to disabling TLS 1.0 and 1.1 on any server in your environment. Every Skype for Business Server, including Edge role and SQL Backends, require the updates. Also ensure that all supported (in-scope) clients have been updated to the required minimum versions. Don’t forget to update management workstations as well.

We want to follow the usual order of operations of "inside out" for upgrading Skype for Business servers. Treat Director pools, Pchat and Paired Pools in the same manner you normally would. Order and methods for upgrade are covered here and here.

High level process:

  1. Test all steps in your lab prior to configuring production servers
  2. Backup and preserve a copy of exported registry on each and every individual server to be updated. You cannot share registries between Servers, they contain unique machine based keys.
  3. Upgrade all Skype for Business 2015 Servers to CU6 HF2 or higher
  4. Install all pre-requisites to all servers
  5. Deploy pre-requisite registry keys
  6. Ensure all in-scope clients are updated (covered in Part I)
  7. Disable TLS 1.0 and 1.1 via registry import
  8. Validate workloads are functioning as expected
    1. If problems encountered, troubleshoot and resolve or
    2. Restore registry from step 2 to re-enable TLS 1.0 and 1.1
  9. Validate only TLS 1.2 is being used

 

Install Pre-Requisites to All Servers

Extensive dependency updating is required before you begin to disable TLS 1.0 and 1.1 at the operating system level in your Skype for Business Server 2015 deployments. The following are the minimum versions that can support TLS 1.2. Deploy all pre-requisite updates across every Skype for Business server in your environment before you begin disabling TLS 1.0 and 1.1.

  • Skype for Business Server 2015 CU6 HF2 6.0.9319.516 (March 2018 update) or higher
  • .NET Framework 4.7 or higher with SchUseStrongCrypto enabled in the registry (provided below)
  • SQL must be updated on all Skype for Business 2015 servers and backends. Update Enterprise Edition Pool SQL Backends first, then their respective FEs.
    • SQL Server 2014 SP1 + CU5 (link), or higher / SQL Server 2012 SP2 + CU16 or higher/ SQL Server 2014 RTM + CU12 (link) or higher / SQL Server 2014 SP2
    • SQL Server Native Client for SQL Server 2012 (link)
    • Microsoft ODBC Driver 11 for SQL Server (link), or higher
    • Shared Management Objects for SQL Server 2014 SP2 (link)
    • SQLSysClrTypes for SQL server 2014 SP2 (link)

 

Basic steps to install pre-requisites, in recommended order of operations:

  1. Install the Skype for Business Server CU6HF2 (6.0.9319.516) update to all servers.
    1. Install the update to components using the updater.
    2. Update databases according to documented procedures. Instructions are documented at https://support.microsoft.com/en-us/help/3061064/updates-for-skype-for-business-server-2015.
    3. Validate product functionality in the deployment prior to moving forward with any other changes.
  2. Download .NET 4.7 Offline Installer
    1. Reference: https://www.microsoft.com/en-us/download/details.aspx?id=55167
    2. Ensure Skype for Business Server 2015 services are stopped on the Front End server.
    3. Reference: https://support.microsoft.com/en-us/help/3061064/updates-for-skype-for-business-server-2015
    4. Ex (Standard Edition): Stop-CsWindowsServices
    5. Ex (Enterprise Edition): Invoke-CsComputerFailover
    6. Run the installer package.
    7. Reboot the server.
  3. Update SQL Express 2014 on all Servers
    1. Reference: https://support.microsoft.com/en-us/help/3135244/tls-1-2-support-for-microsoft-sql-server.
    2. Download SQL 2014 SP2
      1. Reference: https://www.microsoft.com/en-us/download/details.aspx?id=53168
    3. Copy the installation media to a folder on the server (Ex: C:\01_2014SqlSp2)
    4. Ensure Skype for Business Server 2015 services are stopped on the Front End server
      1. Ex (Standard Edition): Stop-CsWindowsService
      2. Ex (Enterprise Edition): Invoke-CsComputerFailove
    5. Open an Admin Command Prompt, and upgrade all installed components and instances
      1. Example: C:\01_2014SqlSp2\SQLServer2014SP2-KB3171021-x64-ENU.exe /qs /IAcceptSQLServerLicenseTerms /Action=Patch /AllInstances
  4. Update SQL Native Client
    1. Reference: https://support.microsoft.com/en-us/help/3135244/tls-1-2-support-for-microsoft-sql-server.
    2. Download from https://www.microsoft.com/en-us/download/details.aspx?id=50402
    3. Ensure Skype for Business Server 2015 services are stopped on the Front End server.
      1. Ex (Standard Edition): Stop-CsWindowsServices
      2. Ex (Enterprise Edition): Invoke-CsComputerFailove
    4. Stop the SQL instances installed from running
      1. Ex: Get-Service 'MSSQL$RTCLOCAL' | Stop-Servic
      2. Ex: Get-Service 'MSSQL$LYNCLOCAL' | Stop-Servic
      3. Ex (Standard Edition Only): Get-Service 'MSSQL$RTC' | Stop-Servic
    5. Install the update.
  5. Update ODBC Driver 11 for SQL Server
    1. Reference: https://support.microsoft.com/en-us/help/3135244/tls-1-2-support-for-microsoft-sql-server.
    2. Download from https://www.microsoft.com/en-us/download/confirmation.aspx?id=36434
    3. Ensure Skype for Business Server 2015 services are stopped on the Front End server
      1. Ex (Standard Edition): Stop-CsWindowsService
      2. Ex (Enterprise Edition): Invoke-CsComputerFailove
    4. Install the update.
  6. Deploy pre-requisite registry keys

Pre-requisite registry keys:

Copy/paste the following test into Notepad and rename TLSPreReq.reg or a name of your choice, then import:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]

"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]

"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727]

"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]

"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]

"DefaultSecureProtocols"=dword:00000AA0

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]

"DefaultSecureProtocols"=dword:00000AA0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]

"DisabledByDefault"=dword:00000000

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]

"DisabledByDefault"=dword:00000000

"Enabled"=dword:00000001

For SQL Back ends for Enterprise Edition Pools, pre-requisites and TLS disable should be treated as any SQL or OS updates would; refer to: https://docs.microsoft.com/en-us/skypeforbusiness/manage/topology/patch-or-update-a-back-end-or-standard-edition-server

While both the pre-requisite application and TLS disabling steps can be combined, we strongly recommend all pre-requisites be applied before proceeding with disabling of TLS 1.0 and 1.1 at the operating system level.  The best practice approach would be to prepare the environment by deploying all pre-requisites, validating workloads all function correctly and as expected - then proceed with TLS 1.0/1.1 disable at a later time.

 

Disable TLS 1.0 and 1.1 via Registry Import

Before you proceed with the next steps, make sure you have completed all prerequisites and updated Skype for Business Servers.

Copy the following text into a notepad file and rename it TLSDisable.reg:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002]

"Functions"="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL]

"AllowInsecureRenegoClients"=dword:00000000

"AllowInsecureRenegoServers"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 128/128]

"Enabled"=dword:FFFFFFFF

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 256/256]

"Enabled"=dword:FFFFFFFF

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/56]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA]

"Enabled"=dword:FFFFFFFF

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA256]

"Enabled"=dword:FFFFFFFF

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA384]

"Enabled"=dword:FFFFFFFF

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA512]

"Enabled"=dword:FFFFFFFF

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]

"Enabled"=dword:FFFFFFFF

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\ECDH]

"Enabled"=dword:FFFFFFFF

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS]

"Enabled"=dword:FFFFFFFF

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Client]

"DisabledByDefault"=dword:00000001

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server]

"DisabledByDefault"=dword:00000001

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Client]

"DisabledByDefault"=dword:00000001

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]

"DisabledByDefault"=dword:00000001

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]

"DisabledByDefault"=dword:00000001

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]

"DisabledByDefault"=dword:00000001

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]

"DisabledByDefault"=dword:00000001

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]

"DisabledByDefault"=dword:00000001

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]

"DisabledByDefault"=dword:00000001

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]

"DisabledByDefault"=dword:00000001

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]

"DisabledByDefault"=dword:00000001

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]

"DisabledByDefault"=dword:00000001

"Enabled"=dword:00000000

 

Import the .reg file on each server you wish to disable TLS 1.0 and 1.1. Reboot the server. Once the services have come back online, move to the next server. The approach for Enterprise Edition Pools is the same you would take for any OS update.

You may have noticed we are doing more than just disabling TLS 1.0 and 1.1 here. We are supporting Cipher Suite re-order (as shown above) and the disabling of some older weak ciphers. This is the first time we have officially supported these changes to SCHANNEL and Crypto API on Skype for Business Server, and it is important to note these changes are the only ones we support and have tested at this time. We may consider additional configurations in the future, but for now, please do not modify the registry import file in your implementation.

 

Validate Workloads are functioning as expected

Once TLS 1.0 and 1.1 have been disabled in your environment, check to ensure that all your main workloads are functioning as expected, such as IM & Presence, P2P calls, Enterprise Voice, et cetera.

Validate only TLS 1.2 is being used

Have your Security Team perform a new audit of Skype for Business traffic to ensure the older protocols TLS 1.0 and 1.1 are no longer in use.

Alternatively, you can use Internet Explorer to test TLS connections to web services from Skype for Business Server 2015 after TLS 1.0 and TLS 1.1 have been disabled.

  1. Launch Internet Explorer
  2. Select Tools > Internet Options
  3. Select the Advanced tab
  4. Under Settings, scroll to the bottom
  5. Verify that TLS 1.0, TLS 1.1, and TLS 1.2 are enabled
  6. Browse the Internal Web Service URL of your SfB 2015 pool (should connect successfully)
  7. Go back into IE and disable the option to Use TLS 1.2 only
  8. Browse the Internal Web Service URL of your SfB 2015 pool again (should fail to connect)

InternetOptions


Comments (0)

Skip to main content