Self hosted districts may encounter SMTP and SSL certificate issues with with older versions of TLS running on their Web and Reporting Servers.
Current technology standards require TLS 1.2 and higher, so these fixes are necessary to secure the server and allow communication with outside vendors/products.
This article contains the fix needed to adjust the necessary settings on Aeries Web and Reporting Servers. This fix will help with various products and functions including Online Enrollment, Aeries Communications, Electronic Test Scores, etc.
1. IIS Crypto
Download IIS Crypto from the following URL
https://www.nartac.com/Products/IISCrypto/
Once installed, run the program and select "Best Practices" and schedule a system reboot.
The IIS Crypto License can be found Here.
These steps are provided as a set of recommendations based on the server configurations in our Hosted Environment, and should be used in conjunction with current security practices/procedures.
2. Set TLS 1.2 using Powershell
The PowerShell script performs two main tasks related to security protocols:
It sets the security protocol to TLS 1.2, ensuring that the system communicates using the latest and most secure Transport Layer Security (TLS) version.
It disables TLS 1.0 and TLS 1.1 while keeping TLS 1.2 enabled. This enhances security by preventing communication using older, potentially less secure protocols.
In summary, the script prioritizes the use of TLS 1.2 for secure communications and disables older TLS versions for improved security posture.
Open Powershell as Admin and run the following code block;
# Set the security protocol to TLS 1.2 [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12; # Disable TLS 1.0 and TLS 1.1 # This line disables TLS 1.0 and TLS 1.1 protocols while keeping TLS 1.2 enabled for enhanced security. [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -band (-bnot [System.Net.SecurityProtocolType]::Tls)
3. Edit Windows Registry
These registry settings enable the use of strong cryptography within the .NET Framework version 4.0.30319. By setting the "SchUseStrongCrypto" value to 1 in both the 64-bit and 32-bit registry keys, these settings ensure that applications relying on the .NET Framework utilize robust cryptographic algorithms for enhanced security. This helps strengthen encryption and protect sensitive data transmitted or processed by applications built on the .NET platform.
Add these values to the Windows Registry using regedit.exe
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319] "SchUseStrongCrypto"=dword:00000001 [HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\v4.0.30319] "SchUseStrongCrypto"=dword:00000001
Or..
You can also save the previous code to a file called "useStrongTLS.reg" and update the registry