This is a post from my original blog, I’ve re-posted it here.
This blog post is on Forefront TMG, a product that has been fully discontinued by Microsoft, and usually was installed on Server 2008/2008R2 versions, which have not received a TLS 1.3 back-port update, instead capping out at 1.2. As well, TLS 1.2 and 1.1 are on the list to be depreciated in 2019 and 2020 as they are older protocols and the new 1.3 is much more secure by default, and faster. However, many companies wish to perform inbound and outbound traffic inspection, and TLS 1.3 has yet to allow for this kind of Man in the Middle attacks that many businesses employ as part of their security and employee monitoring strategies.
Note: with the depreciation of TLS 1.1 and 1.2, you can no longer receive A ratings from these test sites until they are disabled and TLS 1.3 is being used instead.
Registry changes to remove SSLv3, and enable higher level TLS protocols.
Add the following Keys and subkeys under Protocols
- SSL 3.0 - Server - Client (optional) - TLS 1.0 - Server - Client (optional) - TLS 1.1 - Server - Client (optional) - TLS 1.2 - Server - Client (optional)
Server keys control when the server or workstation is Serving content to outside parties.
Client keys control when the server or workstation is getting content from remote locations.
Under the SSL 3.0 server key, and optional client key, add the following dword entries
DisabledByDefault = 1
Under the TLS versions that you wish to support, create the dwords
DisabledByDefault = 0 Enabled = 1
If you disable TLS 1.0, then you will need to enable the following under group policy,
Local Computer\Windows settings\security settings\local policies\security options
Look for “System Cryptography: use FIPS compliant algorithms for encryption, hashing, and signing.”
This will re-allow the local SQL server instance to start and connect properly to forefront to re-enable SQL logging, but will disrupt RDP.
Install the following patch on the TMG servers and the clients that will be connecting to them for management over RDP
For insecure renegotiation, you must have MS10-049 installed.
Then set the following Dword under
AllowInsecureRenegoClients = 0
DDOS prevention Dword under
DisableRenegoOnServer = 1
Cipher Changes Be careful about cipher changes, disabling the wrong ciphers can lock you out of remote desktop. Recommended to have the ECDHE ciphers first, for speed.