Problem: By default SharePoint 2016 and SP 2013 use TLS1.0 for its communication protocol (think SSL version number). A lot of companies and partners are now insisting your internal SharePoint farms support TLS 1.2 and not the earlier versions. For various compliance frameworks (DSS PCI, HIPPA) you need to ensure you no longer use TLS1.0 or 1.1 and only support TLS 1.2 and soon to be TLS 1.3. The problem is that earlier versions have potential vulnerabilities and can lead to various attach including being susceptible to man in the middle attacks.
TLS/SSL Basics:
Three Areas of Concern:
1. SharePoint farm upgrade thru DTAP environments and Test
2. Calling application needs to use TLS 1.2 as the default and can potentially call backwards. This includes IE/Chrome, calling CSOM code (either fix works: .NET 4.6.2 upgrade or pragmatically enforcing TLS), PowerShell
// C# CSOM programmatic fix to TLS inaccuracies
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls | SecurityProtocolType.Ssl3;
3. If your tools are on a Server ensure outbound TLS traffic is allowed. IIS TLS settings affect both inbound and outbound traffic, overwrite the outbound if you need to in the registry.
Validate SSL SharePoint Web Front End:
Use PowerShell to check the WFE or an external tool like HTBridge.
Here is a great tool to look at your HTTPS web server/endpoint setup externally: https://www.htbridge.com/ssl
Tip: Removing TLS1.0 and 1.1 needs to be thoroughly tested as there are numerous dependencies such as OWA, Workflow, CSOM, Internal Comms, SQL Server.
TLS/SSL Basics:
Three Areas of Concern:
- SharePoint Farm (upgrade to SSL across the farm, Supports TLS 1.2 on SP2010 & 2013 since +_Oct 2016) - biggest lift
- CSOM Client VM (Ensure the client VM can send TLS1.2) - Jump boxes, browser
- Ensure the Communicating App support TLS1.2 (Either .NET4.6.2 compiled apps default to TLS1.2 or problematically enforce the TLS order/version.
1. SharePoint farm upgrade thru DTAP environments and Test
2. Calling application needs to use TLS 1.2 as the default and can potentially call backwards. This includes IE/Chrome, calling CSOM code (either fix works: .NET 4.6.2 upgrade or pragmatically enforcing TLS), PowerShell
// C# CSOM programmatic fix to TLS inaccuracies
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls | SecurityProtocolType.Ssl3;
3. If your tools are on a Server ensure outbound TLS traffic is allowed. IIS TLS settings affect both inbound and outbound traffic, overwrite the outbound if you need to in the registry.
Validate SSL SharePoint Web Front End:
Use PowerShell to check the WFE or an external tool like HTBridge.
Here is a great tool to look at your HTTPS web server/endpoint setup externally: https://www.htbridge.com/ssl
Tip: Removing TLS1.0 and 1.1 needs to be thoroughly tested as there are numerous dependencies such as OWA, Workflow, CSOM, Internal Comms, SQL Server.
0 comments:
Post a Comment