Secure your LiveCompare server

The following manual configuration steps should be considered in order to make your LiveCompare server more secure. You may need to discuss these with your Network Administrator.

Insecure SSL

Due to historic export restrictions of high-grade cryptography, new and legacy web servers are often able and configured to handle weak cryptographic options. In particular, TLS 1.0 and 1.1 are known to be insecure.

Recommendations

These recommendations should be followed:

  1. TLS version 1.2 or later should be used for all communications. If older versions of TLS are installed on the LiveCompare server, these older versions should be disabled.

  2. A TLS server certificate check should be performed.

  3. For TLS versions below 1.3, only the following cipher suites should be permitted:

  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

  1. When using the following cipher suites, key lengths of at least 2048 bits are required.

  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

Disable older TLS versions

If TLS versions 1.1 or 1.0 are enabled on the LiveCompare server, the Pre-install Check utility will report a warning. It is recommended that these older versions of TLS are disabled.

Disable TLS 1.0

To disable TLS 1.0, follow these steps on the LiveCompare server.

  1. Run regedit and navigate to the following folder:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

  1. Select the Protocols key and choose New > Key from the context menu. Rename the new key as TLS 1.0.

  2. Select the TLS 1.0 key and choose New > Key from the context menu. Rename the new key as Client.

  3. Select the Client key and choose New > DWORD (32-Bit) Value from the context menu. Rename the DWORD as Enabled.

  4. Select the Client key and choose New > DWORD (32-Bit) Value from the context menu. Rename the DWORD as DisabledByDefault and set its value to 1.

  5. Select the TLS 1.0 key and choose New > Key from the context menu. Rename the new key as Server.

  6. Select the Server key and choose New > DWORD (32-Bit) Value from the context menu. Rename the DWORD as Enabled.

  7. Select the Server key and choose New > DWORD (32-Bit) Value from the context menu. Rename the DWORD as DisabledByDefault and set its value to 1.

Disable TLS 1.1

To disable TLS 1.1, follow these steps on the LiveCompare server.

  1. Run regedit and navigate to the following folder:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

  1. Select the Protocols key and choose New > Key from the context menu. Rename the new key as TLS 1.1.

  2. Select the TLS 1.1 key and choose New > Key from the context menu. Rename the new key as Client.

  3. Select the Client key and choose New > DWORD (32-Bit) Value from the context menu. Rename the DWORD as Enabled.

  4. Select the Client key and choose New > DWORD (32-Bit) Value from the context menu. Rename the DWORD as DisabledByDefault and set its value to 1.

  5. Select the TLS 1.1 key and choose New > Key from the context menu. Rename the new key as Server.

  6. Select the Server key and choose New > DWORD (32-Bit) Value from the context menu. Rename the DWORD as Enabled.

  7. Select the Server key and choose New > DWORD (32-Bit) Value from the context menu. Rename the DWORD as DisabledByDefault and set its value to 1.

Next: Start LiveCompare