SQL Server Support for PCI DSS 3.1
Here is another post from Grant Carter.
The Payment Card Industry Data Security Standard (PCI DSS) was created to describe and enforce data standards and processes for the secure processing of payment cards. PCI DSS provides technical requirements for protecting data used in card payments. PCI DSS 3.1 is the most recent revision of this industry standard. The standard for this revision can be located at https://www.pcisecuritystandards.org/documents/PCI\_DSS\_v3-1.pdf
TLS or Transport Layer Security (https://en.wikipedia.org/wiki/Transport_Layer_Security) are cryptographic protocols that allow computer communications over a network to remain secure. As of February 2016, TLS 1.2 is the most recent production use of this protocol and is considered currently the most secure.
The PCI DSS 3.1 standard requires that the use of strong cryptography protocols must be used. SSL and TLS versions 1.0 and 1.1 are not considered strong cryptography and can no longer be used after June 30, 2016 in systems that must meet PCI DSS 3.1 standards. TLS 1.2 becomes the de facto standard to achieve PCI DSS 3.1 compliance.
Microsoft SQL Server supported the TLS 1.0 protocol until the SQL Server 2012 Service Pack 2 Cumulative Update 6 or SQL Server 2014 Service Pack 1 Cumulative Update 1 updates. Please note there is a known issue in CU1 release of SQL 2014 that is scheduled to be fixed in February 2016. In January 2016, support for TLS 1.2 was added to SQL Server 2008R2 and SQL Server 2008 via a hotfix documented at https://support.microsoft.com/en-us/kb/3135244. Support for TLS 1.2 will not be backported to SQL Server 2005, 2008, or 2008R2.
The key to making TLS 1.2 work, is that both the server and the client have to be patched to a level that will allow both to communicate using the TLS 1.2 protocol. If either side of the conversation isn't properly patched, then the communication will fail and connecting and communicating with SQL Server from a client machine will not work. This article describes how to get TLS 1.2 working with SQL Server, SQL Native Client, and SQL Server Management Studio.
TLS 1.2 is supported in the following Operating Systems (https://blogs.msdn.com/b/kaushal/archive/2011/10/02/support-for-ssl-tls-protocols-on-windows.aspx)
- Windows 7
- Windows 8
- Windows 8.1
- Windows 10
- Windows Server 2008R2
- Windows Server 2012
- Windows Server 2012R2
SQL Server Supports TLS 1.2 in the following versions (https://support.microsoft.com/en-us/kb/3052404)
- SQL Server 2012 Service Pack 2 Cumulative Update 6 or greater - https://support.microsoft.com/en-us/kb/3052468
- SQL Server 2014 Service Pack 1 Cumulative Update 1 or greater - https://support.microsoft.com/en-us/kb/3067839
- (If using AlwaysOn or DB Mirroring, check out https://support.microsoft.com/en-us/kb/3135852)
- SQL Server 2014 RTM Cumulative Update 8 or greater - https://support.microsoft.com/en-us/kb/3067836
SQL Server Native Access Client (SNAC) and SQL Server Management Studio .Net updates are located at:
- .Net 4.6 for SSMS to work with TLS 1.2 - https://www.microsoft.com/en-us/download/details.aspx?id=48130
- .Net Framework 4.5.2 rollup
- Hotfix rollup 3099845 for the .NET Framework 4.5.2, 4.5.1, and 4.5
- Hotfix rollup 3099844 for the .NET Framework 4.5.2, 4.5.1, and 4.5 on Windows
- Hotfix rollup 3099842 for the .NET Framework 4.5.2 and the .NET Framework 4.5.1 on Windows
- ADO.net – SQL Client (.Net framework 4.0) - Hotfix rollup 3106994 for the .NET Framework 4.0 in Windows
- ADO.net – SQLClient (.Net framework 3.5/.Net Framework 2.0SP2)
- Hotfix rollup 3106990 for the .NET Framework 2.0 SP2 in Windows Server 2008 SP2 and Windows Vista SP2
- Hotfix rollup 3106991 for the .NET Framework 2.0 SP2 in Windows Server 2008 R2 SP1 and Windows 7 SP1
- Hotfix rollup 3106992 for the .NET Framework 2.0 SP2 on Windows Server 2012 and Windows 8
- Hotfix rollup 3106993 for the .NET Framework 2.0 SP2 in Windows Server 2012 R2 and Windows 8.1
- SQL Server 2012 SP2 CU6 SNAC update - https://support.microsoft.com/en-us/kb/3052468
- SQL Server 2014 SP1 CU1 SNAC update - https://support.microsoft.com/en-us/kb/3067839
- SQL Server 2014 RTM Cumulative Update 8 SNAC update - https://support.microsoft.com/en-us/kb/3067836
- Microsoft ODBC Driver for SQL Server - https://www.microsoft.com/en-us/download/details.aspx?id=36434
- JDBC 6.0, 4.1, and 4.2 - https://www.microsoft.com/en-us/download/details.aspx?displaylang=en&id=11774
Steps To Get SQL Server Encryption Working:
Follow the steps outlined at https://msdn.microsoft.com/en-us/library/ms191192(v=sql.110).aspx to enable encryption on the SQL Server.
Steps to Get TLS 1.2 working with SQL Server
On The Server Side:
Apply one of the following cumulative updates.
- SQL Server 2012 Service Pack 2 Cumulative Update 6 or greater - https://support.microsoft.com/en-us/kb/3052468
- SQL Server 2014 Service Pack 1 Cumulative Update 1 or greater - https://support.microsoft.com/en-us/kb/3067839
- SQL Server 2014 RTM Cumulative Update 8 or greater - https://support.microsoft.com/en-us/kb/3067836
Steps to Disable TLS 1.0, TLS 1.1, SSL 2.0, and SSL 3.0 (Optional Step. Complete to comply with PCI DSS 3.1 most strictly)
The PCI DSS 3.1 standard states that use of all SSL and early TLS protocols must be discontinued by June 30, 2016. This step will disable those protocols on the Server and ensure that communication to the server must be done using TLS 1.2.
NOTE WELL: Doing this will break communication with all clients that haven’t been patched to support TLS 1.2. Implementing this could cause issues with connectivity with those clients. Please be aware of this before disabling these protocols.
Test very thoroughly in a non-production environment before production deployment.
Please check with any third party driver provider to ensure that their drivers will support the TLS 1.2 standard before implementing.
- Because making registry changes involves risk, it is important that before making any changes to your registry as outlined in the KBs in the following step, please make sure you back up your registry by following the procedure outlined at https://support.microsoft.com/en-us/kb/322756.
- Follow the following KB articles for instructions on how to disable certain cryptographic algorithms. https://support.microsoft.com/en-us/kb/245030 or https://support.microsoft.com/en-us/kb/187498
- Reboot the server once the registry changes have been made. All SQL clients that do not have the TLS 1.2 updates will not be able to connect to the server.
- If encrypted communications have been enforced on the server, then SQL Server management studio will not work until a .net 4.6 upgrade is deployed to the server. You will have to stop SQL Server and SQL Agent while you install the framework. To Make SSMS use TLS 1.2, you need to install .net framework 4.6 on the client
machine which can be obtained from the following link. https://www.microsoft.com/en-us/download/details.aspx?id=48130
On The Client Side
- Patch SQL Native client to one of the following versions:
- SQL Server 2012 Service Pack 2 Cumulative Update 6 or greater - https://support.microsoft.com/en-us/kb/3052468
- SQL Server 2014 Service Pack 1 Cumulative Update 1 or greater - https://support.microsoft.com/en-us/kb/3067839
- SQL Server 2008R2 SP3 Hotfix (10.50.6537) - https://support.microsoft.com/en-us/hotfix/kbhotfix?kbnum=3098860&kbln=en-us
- SQL Server 2008 SP4 (10.00.6543) - https://support.microsoft.com/en-us/hotfix/kbhotfix?kbnum=3098860&kbln=en-us
NOTE: The tools that use the native client or ODBC should use TLS 1.2 once the previous step is completed, however, SQL Server Management Studio (SSMS) will not use TLS 1.2 even if the SQL Native Client is patched. Network traces will show it still using TLS 1.0. To Make SSMS use TLS 1.2, you need to install .net framework 4.6 on the client machine which can be obtained from the following link: https://www.microsoft.com/en-us/download/details.aspx?id=48130
Completely Off Topic:
Obscure Item of History
On December 8, 1941, President Franklin Roosevelt delivered his famous “Infamy” speech in the Capitol Building in Washington. The Secret Service was concerned about an assassination attempt on his life. They chose to drive him to the capitol in a 1928 Cadillac 341A Town Sedan originally owned by Al Capone because it had been heavily armored by the gangster. Source: https://en.wikipedia.org/wiki/Presidential_state_car_%28United_States%29
Grant Carter is a Senior Premier Field Engineer for Microsoft based in Boise, Idaho. Grant has been working with SQL Server since SQL Server 2000.
EMail: Grant.Carter@microsoft.com
Anonymous
December 08, 2015
Hello Mark, Thanks for the article. As 2008R2 has extended support until 2019 do you think there might be a review on "support for TLS 1.2 will not be backported to ... 2008R2"? Thanks.Anonymous
December 09, 2015
Hello Joe, We have put in a ticket with Microsoft to ask this very question and the response we received is that Microsoft does not have any plans to backport TLS 1.2 support for 2008r2 and that we will need to upgrade.Anonymous
February 10, 2016
Hi All, Microsoft recently announced TLS 1.2 Support for SQL Server 2008, 2008 R2, 2012 and 2014. blogs.msdn.microsoft.com/.../tls-1-2-support-for-sql-server-2008-2008-r2-2012-and-2014- Anonymous
May 18, 2016
The URL is now just https://blogs.msdn.microsoft.com/sqlreleaseservices/tls-1-2-support-for-sql-server-2008-2008-r2-2012-and-2014/
- Anonymous