WID and RDCB with tls 1.2 only

New Contributor

Hi,

 

for compliance reasons we've to disable tls 1.0 on our systems and thereby encountered an unexpected error. The windows internal database and therefore also the remote desktop connection broker do *not* support anything newer than tls 1.0.

We're only allowed to use modern protocols like tls 1.2 or tls 1.3, therefore we've disabled all others within schannel. For now we have re-enabled tls 1.0 on the remote desktop connection broker, but we need to disable it again or we will not pass the certification.

 

Therefore my question: Is it possible to configure the windows internal database to use tls 1.2 and how is that done?

 

Best,

agowa338

 

Edit: There is even a UserVoice Entry: https://remotedesktop.uservoice.com/forums/266795-remote-desktop-services/suggestions/8527261-suppor...

According to the response from Microsoft from 2017 it should work, but as others already pointed out it still doesn't because of the windows internal database being TLS 1.0 only. How do others with PCI DSS handle this? Do you deploy an SQL Server for the Remote Desktop Connection Broker instead?

2 Replies

@agowa338 Does your Connection Broker also have the RDWeb and Gateway roles installed?  Do you need TLS 1.2 on your internal network, or just for External transports?

@Matt_OCC 

Does your Connection Broker also have the RDWeb and Gateway roles installed?

 

No it doesn't, currently we have the role on a separate server because of the issue with the windows internal database.

 

Do you need TLS 1.2 on your internal network, or just for External transports?

 

We need it for both. In fact we're going to no longer differentiate between internal and external, so that we can much more easily support multi cloud setups.