Apr 01 2020 07:32 PM - edited Apr 09 2020 06:34 AM
Hi,
for compliance reasons we've to disable tls 1.0 on our systems and thereby encountered an unexpected error. The windows internal database and therefore also the remote desktop connection broker do *not* support anything newer than tls 1.0.
We're only allowed to use modern protocols like tls 1.2 or tls 1.3, therefore we've disabled all others within schannel. For now we have re-enabled tls 1.0 on the remote desktop connection broker, but we need to disable it again or we will not pass the certification.
Therefore my question: Is it possible to configure the windows internal database to use tls 1.2 and how is that done?
Best,
agowa338
Edit: There is even a UserVoice Entry: https://remotedesktop.uservoice.com/forums/266795-remote-desktop-services/suggestions/8527261-suppor...
According to the response from Microsoft from 2017 it should work, but as others already pointed out it still doesn't because of the windows internal database being TLS 1.0 only. How do others with PCI DSS handle this? Do you deploy an SQL Server for the Remote Desktop Connection Broker instead?
Apr 02 2020 08:29 PM
@agowa338 Does your Connection Broker also have the RDWeb and Gateway roles installed? Do you need TLS 1.2 on your internal network, or just for External transports?
Apr 06 2020 02:07 AM
> Does your Connection Broker also have the RDWeb and Gateway roles installed?
No it doesn't, currently we have the role on a separate server because of the issue with the windows internal database.
> Do you need TLS 1.2 on your internal network, or just for External transports?
We need it for both. In fact we're going to no longer differentiate between internal and external, so that we can much more easily support multi cloud setups.