TLS and Microsoft SQL Server 2022

Transport Layer Security (TLS) for SQL Server 2022 has numerous benefits. TLS enhances SQL Server security by providing authentication, encrypting data in transit, ensuring regulatory compliance, and following security best practices. It helps prevent unauthorized access, protects sensitive information, and mitigates interception attacks, making it a critical component of a secure database environment.

Self-Signed Certificates

When installing Microsoft SQL Server 2022 on-premises, a self-signed certificate is automatically created to support Transport Layer Security (TLS) connections to the database. From a security perspective, using unmanaged, self-signed certificates is never a good idea.

Risk

Self-signed certificates are insecure because they are not issued by a trusted Certification Authority (CA), making it impossible to verify the legitimacy of the server. This lack of trust enables attackers to intercept and manipulate data through interception attacks. Additionally, since operating systems do not automatically trust self-signed certificates, users may ignore security warnings, increasing the risk of connecting to malicious or compromised servers.

Enterprise PKI Certificates

For production workloads, security best practices dictate using enterprise PKI-issued and managed certificates, which provide many security benefits.

Authentication

TLS with managed certificates provides a mechanism for server authentication, ensuring that clients connect to a legitimate server and not an impostor. TLS authentication helps mitigate interception attacks where an attacker could potentially impersonate the server. Managed TLS certificates can also be revoked in the event of key compromise.

Data Encryption

Microsoft SQL Server 2022 database servers often store sensitive data, including personal details, financial records, and other confidential business information. TLS ensures that data in transit between the client and the server is encrypted using modern cryptography, which enhances privacy and confidentiality while preventing unauthorized interception and eavesdropping.

Compliance Requirements

Many regulatory frameworks and compliance standards, such as GDPR, HIPAA, or PCI-DSS, require or strongly recommend encrypting data in transit. Enabling TLS on SQL Server helps meet these compliance standards, strengthens internal security protections, and avoids potential penalties.

Security Best Practice

Implementing TLS is considered a fundamental security best practice in network and data communication. It reduces the risk of data breaches and enhances the overall network security posture in the enterprise.

TLS and SQL Server 2022

Microsoft SQL Server 2022 includes critical new options for administrators. The “Force Encryption” and “Force Strict Encryption” flags control how encryption is enforced for client connections, but their behavior and compatibility requirements differ.

Force Encryption

When this setting is enabled, the SQL server will encrypt communication between the client and server using TLS. However, contrary to what the name of the setting implies, it is possible for the server to accept unencrypted connections in some cases. If the client does not support encryption, the connection may still succeed without encryption. Enabling Force Encryption prioritizes encryption but does not strictly enforce it, meaning older clients that do not support encryption can still connect. Administrators can use this setting to ensure backward compatibility for applications that may not support strict encryption policies. However, upgrading applications to support encryption is strongly advised.

Force Strict Encryption

This setting is subtly different than the previous setting. It also ensures that all communication between the client and the server is encrypted without exception. If a client does not support encryption, the connection will be rejected. In addition, this setting enforces enhanced security parameters for the connection, such as certificate validation, more secure TLS cipher suites, and the use of TLS 1.3* when available. Force Strict Encryption is designed for modern security compliance. It is the preferred setting and should be used when all clients are known to support encryption.

* Note: TLS 1.3 is supported with SQL Server 2022 cumulative update 1 or later installed.

Key Differences

The following table summarizes the key differences between Force Encryption and Force Strict Encryption.

Force EncryptionEncourages but does not require encryption. Unencrypted connections may still be allowed.
Force Strict EncryptionRequires encryption for all connections. Clients that do not support encryption will be rejected.

Summary

By securing your Microsoft SQL Server with TLS, you significantly enhance the security, reliability, and trustworthiness of your data management systems. In the next post, I’ll provide detailed step-by-step guidance for enabling and configuring TLS on Microsoft SQL Server 2022 using best security practices.

Additional Information

Step-by-Step Guide: Enable TLS in Microsoft SQL Server 2022

VIDEO: Enable TLS in Microsoft SQL Server 2022

Microsoft SQL Server 2022

Managed Certificates for Remote Desktop Protocol

The Remote Desktop Protocol (RDP) is arguably the most widely used protocol for Windows remote server administration. RDP uses Transport Layer Security (TLS) for server authentication, data encryption, and integrity. However, the default configuration of TLS for RDP in Windows is less than ideal.

RDP Self-Signed Certificate

By default, RDP uses a self-signed certificate for TLS operations. TLS with self-signed certificates is a bad security practice because they are not validated by a trusted certificate authority (CA), making it impossible for clients to verify the authenticity of the server they are connecting to, which can lead to interception attacks.

Certificate Warning

Most administrators have encountered a warning error when connecting to a remote host via RDP using a self-signed RDP certificate.

“The remote computer could not be authenticated due to problems with its security certificate. It may be unsafe to proceed.”

Nmap

You can view the default self-signed certificate with the Nmap utility by running the following command.

nmap.exe -n -p 3389 <hostname> –script ssl-cert

Managed Certificates

A better solution for RDP TLS is to use managed certificates issued by an enterprise Public Key Infrastructure (PKI) such as Microsoft Active Directory Certificate Services (AD CS). AD CS is widely deployed in AD domain environments and can be configured to issue certificates for RDP TLS.

AD CS

To configure AD CS to issue RDP certificates, perform the following steps.

Certificate Template

On an issuing CA or an administrative workstation with the Remote Server Administration Tools (RSAT) installed, open the Certificate Templates management console (certtmpl.msc) and perform the following steps.

*My apologies for the list numbering format issues below. Microsoft Word and WordPress can’t seem to agree on the list format. Hopefully, you can figure it out, though. 🙂

  1. Right-click the Workstation Authentication template and choose Duplicate Template.
  2. Select the Compatibility tab.
    1. Select the operating system (OS) version corresponding to the oldest OS hosting the issuing CA role in your environment from the Certification Authority drop-down list.
    1. Select the OS version corresponding to your environment’s oldest supported server or client OS from the Certificate recipient drop-down list.
  3. Select the General tab.
    1. Enter a descriptive name in the Template display name field.
    1. Select an appropriate validity period for your environment. The best practice is to limit the validity period to one year or less.
  4. Select the Cryptography tab.
    1. From the Provider Category drop-down list, choose Key Storage Provider.
    1. From the Algorithm name drop-down list, choose RSA.
    1. In the Minimum key size field, enter 2048.
    1. From the Request hash drop-down list, choose SHA256.
  5. Select the Subject Name tab.
    1. From the Subject name format drop-down list, select DNS name.
    1. Ensure that DNS name is also checked in the subject alternate name section.
  6. Select the Extensions tab.
    1. Click on Application Policies.
    1. Click Edit.
    1. Select Client Authentication.
    1. Click Remove.
    1. Click Add.
    1. Click New.
    1. Enter Remote Desktop Authentication in the Name field.
    1. Enter 1.3.6.1.4.1.311.54.1.2 in the Object identifier field.
    1. Click Ok.
    1. Select Remote Desktop Authentication.
    1. Click Ok.
  7. Select the Security tab.
    1. Click Domain Computers.
    1. Grant the Read and Enroll permissions.
  8. Click Ok.

Next, open the Certification Authority management console (certsrv.msc) and follow the steps below to publish the certificate.

  1. Expand the CA.
  2. Right-click Certificate Templates and choose New > Certificate Template to Issue.
  3. Select the Remote Desktop Authentication certificate template.
  4. Click Ok.

Group Policy

Next, on a domain controller or a workstation with the RSAT tools installed, open the Group Policy Management console (gmpc.msc) and perform the following steps to create a new GPO to enroll domain computers for the Remote Desktop Authentication certificate

  1. Right-click Group Policy Objects and choose New.
  2. Enter a descriptive name for the GPO in the Name field.
  3. Click Ok.
  4. Right-click the GPO and choose Edit.
  5. Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security.
  6. Double-click Server authentication certificate template.
  7. Select Enabled.
  8. Enter the name of the Remote Desktop Authentication certificate template in the Certificate Template Name field. Note: Be sure to enter the template name, not the template display name!
  9. Click Ok.

Once complete, link the GPO to the domain or OU to target the servers and workstations to which you wish to deploy the RDP certificate.

Validate Certificate

After updating group policy on a target resource, you’ll find that Nmap now shows the enterprise PKI-issued certificate used for RDP connections.

Additional Information

Understanding the Remote Desktop Protocol (RDP)

Always On VPN SSTP and HSTS

HTTP Strict Transport Security (HSTS) is a feature commonly used by websites to protect against protocol downgrade attacks, where an attacker forces the use of insecure HTTP instead of HTTPS. If successful, the attacker can intercept unencrypted communication between the client and the web server. This is undesirable for obvious reasons. As such, web server administrators implement an HTTP response header named Strict-Transport-Security with some additional settings that instruct the user agent, in this case, a web browser, to only use secure HTTPS when communicating with the web server. Attempts to use HTTP will not work.

VPN and SSTP

As security is always a top concern when building an Always On VPN infrastructure, careful attention must be paid to VPN protocol configuration to ensure optimal security. Secure Socket Tunneling Protocol (SSTP) is a popular VPN protocol for Always On VPN user tunnel connections. SSTP uses Transport Layer Security (TLS) for encryption, so administrators are encouraged to implement recommended security configurations, such as disabling insecure protocols like TLS 1.0 and TLS 1.1 and optimizing TLS cipher suites as described here.

SSTP with HSTS

It would seem that enabling HSTS on a Windows RRAS VPN server would be ideal for improving SSTP security. However, that’s not the case. HSTS prevents protocol downgrade attacks from HTTPS to HTTP, but SSTP already uses HTTPS exclusively, making the use of HSTS irrelevant. If an attacker attempted a protocol downgrade attack on an SSTP VPN connection, it would fail because the service does not support HTTP between the client and the VPN gateway. Additionally, even if it were possible to configure RRAS to send an HSTS response header, it would be ignored by the client because the user agent is not a web browser.

Additional Information

Always On VPN SSTP Security Configuration

Always On VPN SSTP and TLS 1.3

Always On VPN SSTP Certificate Renewal

Always On VPN SSTP with Let’s Encrypt Certificates

Always On VPN SSTP Certificate Binding Error

SSL and TLS Training for Always On VPN Administrators