Setup TLS 1.2 - SQL-FineBuild/Common GitHub Wiki

Previous Setup No TCP Offload Manual Install Setup No SSL v3 Next

FineBuild can enable Transport Layer Security v1.2 (TLS 1.2). TLS 1.2 allows encyption of data between the host and the client, which can significantly improve security.

Security Compliance

Setup TLS 1.2 configuration helps to reduce the network surface area available for attack. If you install SQL 2008 or above and setup Security Compliance then Setup TLS 1.2 configuration will always be implemented. TLS 1.2 is not available for SQL 2005.

Group Policy Management

The Setup TLS 1.2 configuration can be enforced by Group Policy Management.

FineBuild Setup TLS 1.2

Processing of Setup TLS 1.2 relates to Process Id 1DG in the FineBuild1Preparation script, and is controlled by the parameters below:

Install Parameter Build SQL Version Value
/SetupTLS12: Any SQL2005 N/A
/SetupTLS12: FULL SQL2008 and above Yes
/SetupTLS12: CLIENT SQL2008 and above Yes
/SetupTLS12: WORKSTATION SQL2008 and above Yes

Top

Manual Setup TLS 1.2

The following steps show what you would have to do to setup Setup TLS 1.2 manually. FineBuild does all of this work for you automatically.

Do not attempt to setup TLS 1.2 if you are installing SQL 2005 or below, as this will prevent clients from connecting to SQL Server.

  1. Open the Registry Editor by Start -> Run and type regedit

    Regedit Command

  2. Navigate to HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client. If the registry key does not exist then create it.

    Path to Client values

  3. Set the value of the DWORD item DisabledByDefault to 0 (zero). If it does not exist then create it

    Set as Default

  4. Set the value of the DWORD item Enabled to 1. If it does not exist then create it

    Enable

  5. Navigate to HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server. If the registry key does not exist then create it.

    Path to Server values

  6. Set the value of the DWORD item DisabledByDefault to 0 (zero) and set the DWORD item Enabled to 1. If either value does not exist then create it

Copyright FineBuild Team © 2016- 2018. License and Acknowledgements

Previous Setup No TCP Offload Top Setup No SSL v3 Next