Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

PCI Data Security Standard (DSS) 3.1 compatibility with OfficeScan

    • Updated:
    • 3 Jan 2018
    • Product/Version:
    • OfficeScan 11.0
    • OfficeScan XG.All
    • Platform:
    • N/A N/A
    • Windows 10
    • Windows 10 32-bit
    • Windows 10 64-bit
    • Windows 2003 32-Bit
    • Windows 2003 64-Bit
    • Windows 2003 Datacenter 64-bit
    • Windows 2003 Enterprise
    • Windows 2003 Server R2
    • Windows 2003 Standard 64-bit
    • Windows 2008 32-Bit
    • Windows 2008 64-Bit
    • Windows 2008 Datacenter
    • Windows 2008 Datacenter 64-bit
    • Windows 2008 Enterprise
    • Windows 2008 Enterprise 64-bit
    • Windows 2008 Server R2 Enterprise
    • Windows 2008 Standard
    • Windows 2008 Standard 64-bit
    • Windows 2008 Web Server Edition
    • Windows 2008 Web Server Edition 64-bit
    • Windows 2012
    • Windows 2012 Datacenter R2
    • Windows 2012 Enterprise
    • Windows 2012 Enterprise R2
    • Windows 2012 Server Essential R2
    • Windows 2012 Server Essentials
    • Windows 2012 Server R2
    • Windows 2012 Standard
    • Windows 2012 Standard R2
    • Windows 2016
    • Windows 7 32-Bit
    • Windows 7 64-Bit
    • Windows 8 32-Bit
    • Windows 8 64-Bit
    • Windows 8.1 32-Bit
    • Windows 8.1 64-Bit
Summary

PCI DSS is a standard to secure payment card data. Since PCI DSS 3.1, security channel protocols SSLv3.0 and TLSv1.0 have been banned. All security channels need to migrate to TLSv1.1 or higher before July 1, 2018 (from PCI DSS 3.2). This article discusses PCI DSS 3.1 compatibility with OfficeScan.

Details
Public

Before applying PCI DSS 3.1, some updates are required:

Server-Agent Communication

Since OfficeScan XG Service Pack 1 (SP1), the server deploys settings, updates, and hot fixes to agents through HTTPS. Several WindowsUpdates are required to support TLSv1.1 and TLSv1.2 on each platform:

 
There is no update from Microsoft regarding TLSv1.1 and TLSv1.2 support for older Windows servers. Please use at least Windows 7 or Windows Server 2008.
  1. Update Windows 7 to SP1.
  2. Make sure that the following updates are installed. If not, manually install them:
  3. Download Easy fix from this page and launch it.
  4. Reboot the endpoint.
  1. Update Windows Server 2008 to SP2.
  2. Make sure that the following update is installed. If not, manually install it:
  3. Reboot the endpoint.

For Windows 8.1 or Windows Server 2012 R2 or newer, there is no need to install the Windows updates for TLSv1.2 support. Additionally, Administrator needs to add the following registry keys as well:

On the server side, Administrator has to disable SSLv2.0, SSLv3.0, TLSv1.0, and weak ciphers, and enable TLSv1.1 and TLSv1.2.

Windows Registry Editor Version 5.00
#Disable SSLv2.0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000
#Disable SSLv3.0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000
#Disable TLSv1.0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000
#Enable TLSv1.1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:ffffffff
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:ffffffff
#Enable TLSv1.2
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:ffffffff
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:ffffffff
#Disable weak cipher RC4 and Triple DES
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168]
"Enabled"=dword:00000000
#Disable weak Key Exchange Algorithm Diffie-Hellman
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]
"Enabled"=dword:00000000

On the agent side, if you would like to use TLSv1.0 to browse external websites, please add the following registry:

Windows Registry Editor Version 5.00
#Disable SSLv2.0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000
#Disable SSLv3.0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000
#Disable TLSv1.0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000
#Enable TLSv1.1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:ffffffff
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:ffffffff
#Enable TLSv1.2
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:ffffffff
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:ffffffff
#Disable weak cipher RC4 and Triple DES
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168]
"Enabled"=dword:00000000
#Disable weak Key Exchange Algorithm Diffie-Hellman
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]
"Enabled"=dword:00000000

Microsoft SQL Server Connection

When using MSSQL Server as an OSCE database, it depends on whether the MSSQL component supports TLSv1.1, TLSv1.2 or not. Not until MSSQL Server 2014 SP2 is released can it fully support TLSv1.1 and TLSv1.2. The minimum requirement for OSCE is OfficeScan XG SP1. The components used by OfficeScan 11.0 don't support TLSv1.1 and TLSv1.2 anymore. If an issue occurs, you may encounter the "OfficeScan Master Service was stopped because SQL Server is unavailable..." message on the web console. Please refer to the following article for detailed information:

 
Please migrate to a MSSQL Server before applying the PCI DSS setting.

Using TLSv1.1 or TLSv1.2 for communication between MSSQL server and OfficeScan

Edge Relay Server

Several WindowsUpdates and program updates are require to support TLSv1.1 and TLSv1.2. If you encounter the "An internal error has occurred. Restart the Edge Relay service (OfcEdgeSvc) and Microsoft Internet Information Services (IIS)..." on the Edge register page, refer to the following article for detailed information:

Using TLSv1.1 / TLSv1.2 to communicate with OfficeScan Edge Relay server

Since OfficeScan Edge Server has an external HTTPS service, additional security settings for IIS is required. Please refer to following KB article:

Configure IIS security setting for OfficeScan Edge Relay Server

Smart Protection Server

After applying PCI DSS standard on the OSCE server, you may encounter some issues when communicating with the SPS server. On the Add Smart Protection Server Address page, you may see the "Unable to connect to the Smart Protection Server File Reputation Service" message on the console. Please refer to following article for detailed information:

Communication between OfficeScan (OSCE) and Smart Protection Server(SPS) using TLSv1.2

Premium
Internal
Rating:
Category:
Troubleshoot; Update
Solution Id:
1119045
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.