Before applying PCI DSS 3.1, some updates are required:
Server-Agent Communication
Apex One server deploys settings, updates, and hotfixes to agents through HTTPS. Several Windows Updates are required to support TLSv1.2 on each platform:
- Make sure following updates are installed. If not, manually install them:
- Download Easy fix from this page and launch it.
- Reboot the endpoint.
On the server side, Administrator has to disable SSLv2.0, SSLv3.0, TLSv1.0, and weak ciphers, and enable TLSv1.1 and TLSv1.2.
Windows Registry Editor Version 5.00 #Disable SSLv2.0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server] "DisabledByDefault"=dword:00000001 "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client] "DisabledByDefault"=dword:00000001 "Enabled"=dword:00000000 #Disable SSLv3.0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server] "DisabledByDefault"=dword:00000001 "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client] "DisabledByDefault"=dword:00000001 "Enabled"=dword:00000000 #Disable TLSv1.0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server] "DisabledByDefault"=dword:00000001 "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client] "DisabledByDefault"=dword:00000001 "Enabled"=dword:00000000 #Enable TLSv1.1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server] "DisabledByDefault"=dword:00000000 "Enabled"=dword:ffffffff [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client] "DisabledByDefault"=dword:00000000 "Enabled"=dword:ffffffff #Enable TLSv1.2 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] "DisabledByDefault"=dword:00000000 "Enabled"=dword:ffffffff [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] "DisabledByDefault"=dword:00000000 "Enabled"=dword:ffffffff #Disable weak cipher RC4 and Triple DES [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168] "Enabled"=dword:00000000 #Disable weak Key Exchange Algorithm Diffie-Hellman [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman] "Enabled"=dword:00000000
On the agent side, if you would like to use TLSv1.0 to browse external websites, please add the following registry:
Windows Registry Editor Version 5.00 #Disable SSLv2.0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server] "DisabledByDefault"=dword:00000001 "Enabled"=dword:00000000 #Disable SSLv3.0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server] "DisabledByDefault"=dword:00000001 "Enabled"=dword:00000000 #Disable TLSv1.0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server] "DisabledByDefault"=dword:00000001 "Enabled"=dword:00000000 #Enable TLSv1.1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server] "DisabledByDefault"=dword:00000000 "Enabled"=dword:ffffffff [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client] "DisabledByDefault"=dword:00000000 "Enabled"=dword:ffffffff #Enable TLSv1.2 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] "DisabledByDefault"=dword:00000000 "Enabled"=dword:ffffffff [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] "DisabledByDefault"=dword:00000000 "Enabled"=dword:ffffffff #Disable weak cipher RC4 and Triple DES [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168] "Enabled"=dword:00000000 #Disable weak Key Exchange Algorithm Diffie-Hellman [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman] "Enabled"=dword:00000000
Microsoft SQL Server Connection
Apex One On-premise currently includes the MS SQL Server Express 2016 and currently supports TLS 1.2. Newer SQL Server versions are supported by Apex One and can be used to manage the database.
Using TLSv1.1 or TLSv1.2 for communication between MSSQL server and OfficeScan
Edge Relay Server
Apex One Edge Relay Server natively supports TLSv1.2. For older versions of Edge Relay Server, additional configuration might be needed: Using TLSv1.1 / TLSv1.2 to communicate with Apex One Edge Relay server
Since OfficeScan/Apex One Edge Server has an external HTTPS service, additional security settings for IIS are required. Please refer to the following KB article: Configure IIS security setting for Apex One Edge Relay Server
Smart Protection Server
After applying the PCI DSS standard on the OfficeScan/Apex One server, you may encounter some issues when communicating with the SPS server. On the Add Smart Protection Server Address page, you may see the "Unable to connect to the Smart Protection Server File Reputation Service" message on the console. Please refer to the following article for detailed information:
Communication between Apex One and Smart Protection Server(SPS) using TLSv1.2