All posts in category SSL and TLS

TLS and Microsoft SQL Server 2022

Transport Layer Security (TLS) for SQL Server 2022 has numerous benefits. TLS enhances SQL Server security by providing authentication, encrypting data in transit, ensuring regulatory compliance, and following security best practices. It helps prevent unauthorized access, protects sensitive information, and mitigates interception attacks, making it a critical component of a secure database environment.

Self-Signed Certificates

When installing Microsoft SQL Server 2022 on-premises, a self-signed certificate is automatically created to support Transport Layer Security (TLS) connections to the database. From a security perspective, using unmanaged, self-signed certificates is never a good idea.

Risk

Self-signed certificates are insecure because they are not issued by a trusted Certification Authority (CA), making it impossible to verify the legitimacy of the server. This lack of trust enables attackers to intercept and manipulate data through interception attacks. Additionally, since operating systems do not automatically trust self-signed certificates, users may ignore security warnings, increasing the risk of connecting to malicious or compromised servers.

Enterprise PKI Certificates

For production workloads, security best practices dictate using enterprise PKI-issued and managed certificates, which provide many security benefits.

Authentication

TLS with managed certificates provides a mechanism for server authentication, ensuring that clients connect to a legitimate server and not an impostor. TLS authentication helps mitigate interception attacks where an attacker could potentially impersonate the server. Managed TLS certificates can also be revoked in the event of key compromise.

Data Encryption

Microsoft SQL Server 2022 database servers often store sensitive data, including personal details, financial records, and other confidential business information. TLS ensures that data in transit between the client and the server is encrypted using modern cryptography, which enhances privacy and confidentiality while preventing unauthorized interception and eavesdropping.

Compliance Requirements

Many regulatory frameworks and compliance standards, such as GDPR, HIPAA, or PCI-DSS, require or strongly recommend encrypting data in transit. Enabling TLS on SQL Server helps meet these compliance standards, strengthens internal security protections, and avoids potential penalties.

Security Best Practice

Implementing TLS is considered a fundamental security best practice in network and data communication. It reduces the risk of data breaches and enhances the overall network security posture in the enterprise.

TLS and SQL Server 2022

Microsoft SQL Server 2022 includes critical new options for administrators. The “Force Encryption” and “Force Strict Encryption” flags control how encryption is enforced for client connections, but their behavior and compatibility requirements differ.

Force Encryption

When this setting is enabled, the SQL server will encrypt communication between the client and server using TLS. However, contrary to what the name of the setting implies, it is possible for the server to accept unencrypted connections in some cases. If the client does not support encryption, the connection may still succeed without encryption. Enabling Force Encryption prioritizes encryption but does not strictly enforce it, meaning older clients that do not support encryption can still connect. Administrators can use this setting to ensure backward compatibility for applications that may not support strict encryption policies. However, upgrading applications to support encryption is strongly advised.

Force Strict Encryption

This setting is subtly different than the previous setting. It also ensures that all communication between the client and the server is encrypted without exception. If a client does not support encryption, the connection will be rejected. In addition, this setting enforces enhanced security parameters for the connection, such as certificate validation, more secure TLS cipher suites, and the use of TLS 1.3* when available. Force Strict Encryption is designed for modern security compliance. It is the preferred setting and should be used when all clients are known to support encryption.

* Note: TLS 1.3 is supported with SQL Server 2022 cumulative update 1 or later installed.

Key Differences

The following table summarizes the key differences between Force Encryption and Force Strict Encryption.

Force EncryptionEncourages but does not require encryption. Unencrypted connections may still be allowed.
Force Strict EncryptionRequires encryption for all connections. Clients that do not support encryption will be rejected.

Summary

By securing your Microsoft SQL Server with TLS, you significantly enhance the security, reliability, and trustworthiness of your data management systems. In the next post, I’ll provide detailed step-by-step guidance for enabling and configuring TLS on Microsoft SQL Server 2022 using best security practices.

Additional Information

Step-by-Step Guide: Enable TLS in Microsoft SQL Server 2022

VIDEO: Enable TLS in Microsoft SQL Server 2022

Microsoft SQL Server 2022

1 Comment
by Richard M. Hicks on February 27, 2025  •  Permalink
Posted in administration, authentication, Certificate Authentication, Certificate Authority, Certificate Services, Certificate-Based Authentication, certificates, Compliance, Cryptography, Deployment, Encryption, Enterprise, Infrastructure, Microsoft, Operational Support, PKI, public key infrastructure, Security, SMSS, SQL, SQL Server, SQL Server 2022, SQL Server Management Studio, SSL, SSL and TLS, TLS, Transport Layer Security, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2025
Tagged , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on February 27, 2025

https://directaccess.richardhicks.com/2025/02/27/tls-and-microsoft-sql-server-2022/

DirectAccess and CVE-2024-38063

With the August 2024 Windows security updates, Microsoft released a fix to address a Remote Code Execution vulnerability in the Windows TCP/IP stack (CVE-2024-38063). Critically, this vulnerability affects IPv6 only and does not require authentication or user interaction to exploit. An attacker would only need to send specially crafted IPv6 packets to a Windows host, which could allow them to run arbitrary code on the server. This vulnerability presents some unique challenges for organizations that have deployed DirectAccess.

Exposure

DirectAccess servers are deployed to provide secure remote access and are, necessarily, exposed to the public Internet. Sometimes, this is a direct connection (not recommended) or behind an edge firewall or load balancer. In either case, anyone can establish a TCP connection from the Internet to the DirectAccess server by default. If the DirectAccess server has a global unicast IPv6 address assigned to its external interface, that presents a worst-case scenario for exposure. Administrators should update their DirectAccess servers immediately. There are some other mitigation options, though. See below for more details.

IPv6 Transition

DirectAccess servers are usually reachable on the public Internet via IPv4 only. The lack of direct IPv6 connectivity significantly reduces the attack vector for this vulnerability. However, DirectAccess servers use various IPv6 transition technologies that could present additional risks.

Tunnel Establishment

Clients on the Internet can establish an IPv6 transition tunnel to the DirectAccess server without authentication. Once the tunnel is established, the client will receive a router advertisement (RA) and establish an IPv6 address on link. However, communication over the link requires IPsec. Although an attacker can obtain an IPv6 address, they require authentication to send TCP and UDP traffic inside the tunnel.

ICMP

It’s important to know that ICMP traffic inside the DirectAccess IPv6 transition tunnel is exempt from IPsec policy processing, by default. It is unclear whether the “specially crafted packets” an attacker must send to exploit this vulnerability can be ICMP packets. If that’s the case, this introduces significant risks and increases exposure exponentially. I will update this post if I learn anything more about this specifically.

Mitigation

The best and most obvious way to mitigate this attack is to immediately apply the Microsoft security updates. However, some additional controls can be effective in mitigating this risk.

Authentication

As mentioned, DirectAccess allows IPv6 transition tunnels to be established by default without authentication. However, it is possible to update the DirectAccess configuration to support authentication, as described here.

https://directaccess.richardhicks.com/2016/06/13/directaccess-ip-https-preauthentication/

Note: Updating the DirectAccess configuration can be impactful for remote users. Be sure to test this change in a lab environment before implementing in production.

Load Balancers

If the DirectAccess server is behind a load balancer, it can be configured to require authentication for DirectAccess IPv6 transition tunnels. Below is published guidance for configuring popular load balancers to support this.

F5 BIG-IP

Citrix ADC (formerly NetScaler)

Additional Information

Microsoft Windows TCP/IP Remote Code Execution Vulnerability

DirectAccess IP-HTTPS Preauthentication

DirectAccess IP-HTTPS Preauthentication using F5 BIG-IP

DirectAccess IP-HTTPS Preauthentication using Citrix ADC (formerly NetScaler)

3 Comments
by Richard M. Hicks on August 15, 2024  •  Permalink
Posted in BIG-IP, CVE, DirectAccess, encapsulation, Enterprise, enterprise mobility, Hotfix, IP-HTTPS, IPv6, Load Balancing, local traffic manager, LTM, Microsoft, Mobility, Operational Support, Remote Access, Security, Security Update, SSL, SSL and TLS, TLS, transition technology, Update, Windows 10, Windows 11, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2025
Tagged , , , , , , , , , ,

Posted by Richard M. Hicks on August 15, 2024

https://directaccess.richardhicks.com/2024/08/15/directaccess-and-cve-2024-38063/

Always On VPN Security Updates August 2024

Today is the second Tuesday of the month, so Windows Server administrators everywhere know what that means – it’s Update Tuesday! For Always On VPN administrators in particular there are a few security updates that affect Windows Server Routing and Remote Access (RRAS), which is a popular VPN server used to support Always On VPN implementations. While many of these updates address Remote Code Execution vulnerabilities, non are considered critical.

RRAS Updates

This month there are six vulnerabilities disclosed affecting Windows Server RRAS.

CVE-2024-38120 – Windows RRAS Remote Code Execution Vulnerability (Important)

CVE-2024-38121 – Windows RRAS Remote Code Execution Vulnerability (Important)

CVE-2024-38128 – Windows RRAS Remote Code Execution Vulnerability (Important)

CVE-2024-38130 – Windows RRAS Remote Code Execution Vulnerability (Important)

CVE-2024-38154 – Windows RRAS Remote Code Execution Vulnerability (Important)

CVE-2024-38214 – Windows RRAS Remote Code Execution Vulnerability (Important)

Additional Updates

In addition to the updates addressing vulnerabilities in Windows Server RRAS, there are also updates available for the Windows Network Address Translation (NAT), Windows Transport Layer Security (TLS), and Windows IP Routing Management snapin that could potentially impact Always On VPN deployments.

Recommendations

None of the security vulnerabilities disclosed this month are critical. Although the RRAS vulnerabilities are remote code execution, exploitation is unlikely. However, administrators are encouraged to update their systems as soon as possible.

Additional Information

Microsoft August 2024 Security Updates

Leave a comment
by Richard M. Hicks on August 13, 2024  •  Permalink
Posted in administration, Always On VPN, AOVPN, CVE, Enterprise, Hotfix, Microsoft, Mobility, Operational Support, Remote Access, routing, routing and remote access service, RRAS, Security, Security Update, SSL, SSL and TLS, TLS, Update, VPN, Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022
Tagged , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on August 13, 2024

https://directaccess.richardhicks.com/2024/08/13/always-on-vpn-security-updates-august-2024/

« Older Posts
Newer Posts »