PCI Security and TLS 1.2 – Is Your Restaurant Ready?
By June 30, 2018, the Payment Card Industry Security Standards Council (PCI SSC) requires TLS 1.1 or greater for all processing and third party service providers and recommends TLS 1.2. Here at LevelUp, we’ve been working closely with our restaurant and point of sale (POS) partners to get ready for the new requirements. Throughout this process, we’ve learned that the procedures to enable the latest and most secure version of TLS (TLS version 1.2) on Microsoft Windows are time-consuming, cumbersome, and error-prone for system administrators to carry out successfully.
What follows is a hands-on technical tutorial for IT professionals maintaining Microsoft Windows systems, for how to properly enable TLS 1.2 and how to verify that TLS 1.2 is being used for secure communications. To help ease the transition, we’ve developed TLS Patcher, a simple Windows utility that easily applies required updates and properly configures Windows systems to use TLS 1.2. Let’s talk about what you need to know.
What is TLS?
Transport Layer Security (TLS), the modern successor to Secure Sockets Layer (SSL) originally developed by Netscape in 1995, provides cryptographic protocols for secure communications over the Internet. TLS is what makes the S in HTTPS (i.e., web traffic is secured with TLS.) TLS protocol version 1.0 was standardized in 1999, updated by version 1.1. in 2006, and again by version 1.2 in 2008. The next version of TLS, version 1.3, is going through the standardization process now and is still a working draft, although some early implementations are already available to software developers.
Which versions of Windows support TLS 1.2?
Microsoft officially supports TLS 1.2 starting with Windows 7 for applications built using Secure Channel (Schannel), which is the standard Windows Security Support Provider (SSP) that implements TLS (and older SSL) protocols. Later, Microsoft provided TLS 1.2 updates for older Windows versions such as Vista and Windows Server 2008.
Microsoft also provides access to Schannel and TLS 1.2 through the .NET Framework for applications built on .NET starting with .NET Framework 4.5 (available on Windows Vista SP2 and later).
Some non-Microsoft technologies and networking stacks exist, such as OpenSSL, which is available for Windows and supports TLS 1.2 even on some legacy systems such as Windows XP. However, these will not be considered here. (Nobody is still running Windows XP, right?!)
It turns out, even though TLS 1.2 is supported starting with Windows Vista SP2 and Windows Server 2008 SP2 (with security updates), most versions of Windows, including Windows 7 and Windows 8, do not enable TLS 1.2 as a security protocol by default. TLS 1.2 must be explicitly enabled. Even on Windows 10, older applications will not use TLS 1.2 without the proper Windows Registry settings or application code changes.
That’s worth repeating: Just because you’re running Windows 7 or Windows 8 or even Windows 10 does not mean that TLS 1.2 is enabled and being used for secure communications!
How can I determine if an application is using TLS 1.2?
First, some common misconceptions:
- I’m running Windows 7 or Windows 8.1 or Windows 10 and it supports TLS 1.2, therefore applications are communicating over TLS 1.2 and are secured.
- I’ve verified that websites visited from Internet Explorer, Chrome, and Firefox (e.g., Qualys SSL Labs’ SSL/TLS Client Test) are using TLS 1.2, therefore TLS 1.2 is enabled on my system and (non-web browser-based) applications are communicating over TLS 1.2 and are secured.
If you thought that, you certainly wouldn’t be the first. But, unfortunately, you’d be wrong.
It’s time to take matters into our own hands: let’s determine which version of TLS is being used by inspecting the application’s TLS packets using a protocol analyzer (aka packet sniffer). For this job, we’ll be using the tried-and-true Microsoft Network Monitor. Network Monitor (aka Netmon) hasn’t seen any love since 2010, and all the cool kids have since moved on to Microsoft Message Analyzer and Wireshark. But hey, Netmon works on most Windows systems, old and new, and it provides an easy way to find out exactly what we’re looking for.
Step 1. After downloading and installing Microsoft Network Monitor and firing it up, ensure the correct network interfaces are selected in the lower left “Select Networks” pane (if you’re not sure, just check them all.) Open a new capture tab using File > New > Capture:
Step 2. In the “Display Filter” pane enter “tls” and then click “Apply”:
Step 3. Start the capture using Capture > Start:
Step 4. Launch the application in question and when it appears under “Network Conversations” select it (e.g., POS.EXE). As the application starts communicating, its network packets will appear in the “Frame Summary” window. Select a packet to inspect it. In the “Frame Details” window, expand the TLS data packet and look for the “TLS Version” field. You’ll want to verify the version is displayed as “TLS 1.2”:
If the application is using TLS 1.2, rest assured, you’re good. If you see an older TLS version such as TLS 1.1 or TLS 1.0, you have some work to do (keep reading). You’ll want to review all applications that need to securely communicate over the Internet.
How can I enable TLS 1.2 on Windows?
There are a few steps to enabling TLS 1.2 on Windows. We’ll go over them in detail here (the impatient may want to head over to LevelUp TLS Patcher on GitHub):
- Installing Microsoft .NET Framework updates (we recommend .NET 4.6 or higher)
- Setting appropriate Windows Registry keys depending on the system architecture (32-bit vs 64-bit) and the type of applications and which API used to access the network through Windows services such as .NET and Secure Channel (Schannel).
- Selecting “Use TLS 1.2” from Internet Options (Advanced tab below Security) to enable TLS 1.2 in Internet Explorer:
To enable TLS 1.2 for applications using Schannel, the following Schannel registry keys must be set:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] "Enabled"=dword:00000001 "DisabledByDefault"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] "Enabled"=dword:00000001 "DisabledByDefault"=dword:00000000
To enable TLS 1.2 for applications using .NET Framework 4.5 and higher, the following .NET Framework strong cryptography registry keys must be set:
On 32-bit and 64-bit systems:
On 64-bit systems:
Introducing TLS Patcher
Enabling TLS 1.2 on Windows seems like a lot of work. Is there an easier way?
We’re so glad you asked. To facilitate enabling TLS 1.2 on Microsoft Windows, LevelUp has released a simple utility, TLS Patcher, that will:
- Automatically download and install .NET Framework 4.6 if .NET 4.6 or later is not already installed.
- Set the proper Windows Registry keys to enable TLS 1.2 as the default security protocol for Windows applications using .NET Framework 4.5 and higher or Schannel.
TLS Patcher is available for download as a pre-built installer for 32-bit and 64-bit versions of Windows Vista SP2 and up (Vista SP2 and Windows Server 2008 SP2 require Microsoft Update KB4019276) and the source code is available under the Apache 2.0 license. After downloading TLS Patcher, simply run the installer and accept the license agreement. If .NET Framework 4.6 or later is not already installed, you’ll have to wait while .NET 4.6 is downloaded and installed (accept the license terms and click “Install” when prompted.) You may be prompted to restart your computer in order for the changes to take effect.
Once TLS Patcher is installed you should really be ready for TLS 1.2. But don’t take our word for it, go back and check your applications again using Netmon.
How can I take this a step further?
Our goal with TLS Patcher is to be minimally invasive to our restaurant partners’ systems while providing a simple way to ensure TLS 1.2 is properly enabled. For those who may be interested in diving deeper and controlling other aspects of TLS that affect security including managing cipher suites and disabling support for SSL and TLS 1.0, there are other more flexible tools available such as IIS Crypto from Nartac Software.
A word of caution: disabling protocols and cipher suites could prevent access to some websites and services that haven’t been upgraded yet. For this reason, TLS Patcher is limited to enabling TLS 1.2 and selecting it as the default protocol version. Furthermore, TLS Patcher is unique in that it also ensures TLS 1.2 is configured and available to existing .NET 4.x applications without requiring application updates and source code changes.
Regardless of what system and application software updates, configuration changes, and other security upgrades are applied, it’s important to use tools such as Network Monitor to verify the security protocols you expect are actually being used.
What are you waiting for? The June 30th deadline is just around the corner!