How To Enable #TLS 1.2 Protocol In System Center Data Protection Manager #DPM #SCDPM #TLS1.2

5 min read

Introduction

Last year, Microsoft announced Transport Layer Security (TLS) 1.2 protocol support for System Center 2012 R2 and System Center 2016. This of course includes support for System Center Semi-Annual Channel (SAC 1801 and SAC 1807) or later.

TLS is a secure protocol for communication, and TLS 1.2 support has recently been made a mandate across Microsoft products. What that means is that wherever a product leverages TLS, TLS 1.2 should be supported. You can read more about Transport Layer Security (TLS) here.

In between, TLS version 1.3 was recently defined in RFC 8446 in August 2018. It is based on the earlier TLS 1.2 specification. You can read about the major differences between TLS 1.2 and TLS 1.3 here. The million dollar question is, will Microsoft support TLS 1.3 in the near future? as of this writing, no information has been publicly announced yet.

In case of DPM, the impact is when backups are sent to cloud (Azure Backup), and when Certificate based authentication is leveraged for installing the agent in a Workgroup or untrusted Domain, and in certain cases while protecting SQL Servers.

In this article, I will describe all the steps needed to enable TLS 1.2 support for System Center Data Protection Manager.

TLS 1.2 Prerequisites for SC DPM

The following are prerequisites for supporting TLS 1.2 for System Center Data Protection Manager:

  1. .NET version 4.6 should be installed on all the machines – DPM server and Protected Servers. .NET version 4.7 is supported on Windows Server 2019. You can use the following PowerShell command to determine if .NET is installed: Get-WindowsFeature NET* 
  2. Install the required SQL server TLS 1.2 supporting update. You can follow the instructions described here to know whether you need this update or not. This update is required for the DPM database and for all SQL servers that you intend to protect.
  3. Install SQL Server 2012 Native Client 11.0 on the DPM Management Server. You can download Microsoft® SQL Server® 2012 Native Client 11.0 from here. Please note that Microsoft SQL Server 2012 Native Client 11.0 is installed by default when you install SQL Server 2016 (13.x).
  4. Make sure you are running DPM Server that supports TLS 1.2. DPM team added TLS version 1.2 support starting with DPM 2012 R2 Update Rollup 14, DPM 2016 Update Rollup 4 including DPM SAC 1801 and SAC 1807.
  5. System Center components including SC DPM now generate both SHA1 and SHA2 self-signed certificates. In case CA signed certificates are used for Workgroup machines or untrusted Domain, please ensure that they are either SHA1 or SHA2. In other words, TLS 1.2 supports only SHA1 and SHA2 certificates. Hence all the certificates must be updated to be SHA1 or SHA2.

Enable TLS 1.2 Protocol in SC DPM

The following steps are required to enable TLS 1.2 support for System Center Data Protection Manager:

  1. First, we need to harden all systems to use only TLS 1.2 protocol. To do so, we need disable all the SCHANNEL protocol except for TLS 1.2, so that only TLS 1.2 protocol is used for communication between DPM server and the protected server(s). This setting is done in the registry on all protected systems including DPM server. To automate this process, you can use the following PowerShell script in Admin mode to do the setting accordingly by modifying the required values in the registry: .\Enable-TLS1.2.ps1 -Verbose
    <#
    //-----------------------------------------------------------------------
    
    //     Copyright (c) {https://charbelnemnom.com}. All rights reserved.
    
    //-----------------------------------------------------------------------
    
    .NOTES
    File Name : Enable-TLS1.2.ps1
    Author    : Charbel Nemnom
    Version   : 1.1
    Date      : 17-August-2018
    Update    : 20-August-2018
    Requires  : PowerShell Version 5.0 or above
    
    .LINK
    To provide feedback or for further assistance please visit:
    https://charbelnemnom.com
    #>
    
    [CmdletBinding()]
    Param (
    $ProtocolList       = @("SSL 2.0","SSL 3.0","TLS 1.0", "TLS 1.1", "TLS 1.2"),
    $ProtocolSubKeyList = @("Client", "Server"),
    $DisabledByDefault = "DisabledByDefault",
    $Enabled = "Enabled",
    $registryPath = "HKLM:\\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\"
    )
    
    foreach($Protocol in $ProtocolList)
    {
        Write-Verbose "Configuration for Protocol $Protocol"     
        foreach($key in $ProtocolSubKeyList)
        {    
            $currentRegPath = $registryPath + $Protocol + "\" + $key
            Write-Verbose "Registry Path $currentRegPath"
            if(!(Test-Path $currentRegPath))
            {
                Write-Verbose "Creating the registry..."
                New-Item -Path $currentRegPath -Force | out-Null            
            }
            if($Protocol -eq "TLS 1.2")
            {
                Write-Verbose "Enable Protocol $Protocol for the $Key"
                New-ItemProperty -Path $currentRegPath -Name $DisabledByDefault -Value "0" -PropertyType DWORD -Force | Out-Null
                New-ItemProperty -Path $currentRegPath -Name $Enabled -Value "1" -PropertyType DWORD -Force | Out-Null
            
            }
            else
            {
                Write-Verbose "Disable Protocol $Protocol for the $Key"
                New-ItemProperty -Path $currentRegPath -Name $DisabledByDefault -Value "1" -PropertyType DWORD -Force | Out-Null
                New-ItemProperty -Path $currentRegPath -Name $Enabled -Value "0" -PropertyType DWORD -Force | Out-Null
            }   
        }
    }
    

  2. After we enabled TLS 1.2 protocol on all systems, we need to configure DPM to use only TLS 1.2. Please note that this setting should be done in the registry on the DPM management server and all other servers on which DPM agents are installed (i.e. Hyper-V hosts, File Servers, SQL, SharePoint, Exchange, Clients, etc). To automate this process, you can use the following PowerShell script in Admin mode to set DPM to use only TLS 1.2 protocol by modifying the required values in the registry:
    # The following setting should be done on DPM management server and all other servers on which DPM agents are installed
    # E.g. Hyper-V, File Server, SQL Server, Exchange Server, etc.
    
    # Set SCDPM to support only TLS 1.2 protocol
    $NetRegistryPath = "HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319"
    New-ItemProperty -Path $NetRegistryPath -Name "SchUseStrongCrypto" -Value "1" -PropertyType DWORD -Force | Out-Null
    
    $NetRegistryPath = "HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319"
    New-ItemProperty -Path $NetRegistryPath -Name "SchUseStrongCrypto" -Value "1" -PropertyType DWORD -Force | Out-Null
  3. Finally, you need to restart the system (DPM and protected server).

Validate TLS 1.2 Protection with SC DPM

DPM Agent can be installed on the Protected Server either directly from the DPM server for the servers in the domain, or using Certificate Based Authentication for computers in a Workgroup or Untrusted Domain. If TLS 1.2 is not set properly on the DPM server and on the protected server (system-wide), then DPM will throw an error with access denied message similar to below. As you can see the error message is misleading :)

For all kinds of workloads backed up by DPM TLS 1.2 enabled (i.e. SQL, SharePoint, Exchange, File Servers, Hyper-V hosts, Hyper-V VMs, Clients, System State, BMR), you can do the following:

  1. Attaching the Protected Server in Workgroup / Untrusted Domain to DPM (Please note that VMware VM backup is not supported with DPM TLS 1.2).
  2. While Creating Protection Groups, all data sources on the Protected Server are displayed.
  3. Protecting different kinds of workloads to disk, to tape, and to cloud. However, to enable Data Protection Manager to work together with TLS 1.2 to back up to Azure Backup, you need to enable these steps on the Data Protection Manager server only.
  4. Recovering different kinds of workloads at Original Location, Alternate Location, recover cloud recovery points, and use an External DPM Server.

Finally, DPM 1807 included a set of bug fixes. One of the issue was addressed about DPM updates not working when Transport Layer Security (TLS) 1.2 is enabled. So if you are still using DPM 1801, I recommend to upgrade to the latest SAC 1807 release.

Until then… Stay protected and secure with DPM!

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

Pro

About Charbel Nemnom 559 Articles
Charbel Nemnom is a Cloud Architect, ICT Security Expert, Microsoft Most Valuable Professional (MVP), and Microsoft Certified Trainer (MCT), totally fan of the latest's IT platform solutions, accomplished hands-on technical professional with over 17 years of broad IT Infrastructure experience serving on and guiding technical teams to optimize the performance of mission-critical enterprise systems. Excellent communicator is adept at identifying business needs and bridging the gap between functional groups and technology to foster targeted and innovative IT project development. Well respected by peers through demonstrating passion for technology and performance improvement. Extensive practical knowledge of complex systems builds, network design, business continuity, and cloud security.

Be the first to comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.