How We Solved A Major SQL TLS 1.0 Problem

We had a customer who was working on PCI compliance – and failing scans due to weak ciphers and TLS 1.0 being enabled. We have some information about PCI Compliance in our support wiki describing what is disabled on our shared servers and why.

Since we help customers obtain PCI compliance by providing guidance and a secure infrastructure we thought this would be a simple task that we are familiar doing.

We have a PowerShell script for disabling weak ciphers and outdated protocols on Windows Servers (Windows VPS Hosting in this case). We ran the script and completed the process by rebooting the server.

BIG PROBLEM – The MSSQL Server Service failed to start. 

MSSQL and their app were hosted on the same machine. We advised them to isolate app and sql on different servers for best security practices. They hadn’t made this change yet but had plans to do so.

Trial And Error – Solving The Problem with SQL TLS Protocols

  1. (FAIL) We tried the Local Security Policy, enabling “System Cryptography: Use FIPS compliant” see image below. We quickly learned after a reboot that our original changes to the cipher suite and weak protocols were undone and TLS 1.0 was enabled. Microsoft actually has a great post on why they don’t recommend FIPS anymore. And SQL would not start.SQL TLS Fips Compliance - PCI Compliance Troubleshooting
  2. (FAIL) We thought to had missed something. We reset the settings back to what we had before. As I mentioned before we use a PowerShell script to automate these changes but the manual methods are described in KB245030. We rebooted and, SQL Failed to start.
  3. (WIN) We did more thorough search on SQL SSL protocols and discovered that TLS 1.1 and 1.2 were not supported at the time. Although a patch would be released soon.
  4. (SOLUTION) A patch for SQL (2012 in this case) was released. We updated the server to the latest patch version and restarted SQL. SQL was able to start without problem. This particular patch was SQL 2012 SP2 CU6.

Check Your Version

Check your version of SQL by running SQL Server Management Studio and right clicking on the instance name, select properties.

Then check this handy chart for more specific detail related to SQL versions, builds and download links. For SQL 2012 you’ll need at least SP2 CU6.

In Summary

To pass PCI compliance your server needs to have only the most secure protocols and ciphers. You should also have your database on a dedicated server – especially if it contains credit card data of any kind.

For the highest SQL encryption you should patch to the latest release of 2008, 2012 and 2014. Then disable weak ciphers.

If you want help achieving PCI Compliance on Virtual Servers we can help. Get one on one advice from a server expert by scheduling a free consultation appointment.

 

 

Tags: ,

Categories: ,