Now you’re less likely to miss what’s been brewing in our knowledge base with this weekly digest
Please, try again later.
When IIS server receives an HTTPS connection, the client and server negotiate a common protocol to secure the channel. By default, Windows has a set of enabled protocols, and if the client negotiates a weak protocol (e.g., PCT 1.0), it will be used for communication. In modern networks, it's recommended to use one of the latest protocols ( either TLS 1.1 or 1.2).
Windows Server stores information about channel protocols in the Windows registry key below:
[HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]
This key may contain the following subkeys:
Each key holds information about the protocol and any of these protocols can be disabled on the server. The following registry values (and subkeys, if necessary) should be created to disable the old protocols:
By default, the list of ciphers negotiated for given security protocol includes RC4 and 3DES. These ciphers are considered vulnerable, and it's recommended to disable them altogether.
Note: If you use any Windows version except Windows Server 2012R2, Server 2016, and Windows 10, the KB2868725 security update must be installed before applying the settings below.
In order to disable RC4 and 3DES, the following registry values should be created:
[HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
"Enabled" = DWORD:0x00000000
[HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
"Enabled" = DWORD:0x00000000
[HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
"Enabled" = DWORD:0x00000000
[HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168]
"Enabled" = DWORD:0x00000000
The settings for the Self-Service Backup Portal site are stored in the special Web.config file. The default Web.config file created after installation does not contain recommended security settings. In order to change this file according to recommendations, please follow the steps below:
<system.web>
<httpRuntime requestValidationMode="2.0" targetFramework="4.5" executionTimeout="300" enableVersionHeader="false"/>
</system.web>
<add name="Strict-Transport-Security" value="max-age=31536000"/>
<add name="X-XSS-Protection" value="1; mode=block"/>
<add name="X-Content-Type-Options" value="nosniff"/>
<remove name="X-Powered-By" />
<system.webServer>
...
<httpProtocol>
<customHeaders>
<add name="Strict-Transport-Security" value="max-age=31536000"/>
<add name="X-XSS-Protection" value="1; mode=block"/>
<add name="X-Content-Type-Options" value="nosniff"/>
<remove name="X-Powered-By" />
</customHeaders>
</httpProtocol>
</system.webServer>
Please restart the server after all of the changes listed above. If any issues appear after this configuration, please feel free to contact Veeam support.
Your feedback has been received and will be reviewed.
Please, try again later.
Please try select less.
This form is only for KB Feedback/Suggestions, if you need help with the software open a support case
Your feedback has been received and will be reviewed.
Please, try again later.