KB484612: Disable insecure SSL and TLS policies for the Intelligence Server on Windows Server

Description

The Intelligence Server’s REST API is the method through which some of Strategy’s most modern and latest features work through. This includes functionalities such as HyperCards, as well as Library Web Bookmarks.
Customers who are concerned about security will be pleased to learn that Strategy 2021 features new security hardening on the Intelligence Server’s REST API port. Out of the box, the Intelligence Server on Linux now disallows the use of all version of the Secure Sockets Layer (SSL) protocol, and supports only the latest version of Transport Level Security: TLSv1.2. Furthermore, the use of all non-forward security ciphers have been disabled as well.
For customers who deploy their Intelligence Servers on a distribution of Windows Server, the same offerings are available, however, there are several manual steps you will need to take in order to reach to same level of security.
The solution in this article covers users of Microsoft Windows Servers, versions 2016, 2019 and 2022.
Out of the box, the Intelligence Server installed on any version of Microsoft Windows Server is not configured to use the latest and most secure versions of TLS. Windows Server does not allow for individual applications to choose their own level of transport-level security, instead, it will handle transport-level security choices and configurations at the operating system level. Out of the box, Windows Server is prepared to use a least-restrictive set of transport-level security policies. This means that secure connectivity between external applications, include the Strategy REST Gateway (also called LibraryWeb) can be facilitated use out of date, and potentially insecure procedures such as SSLv2, SSLv3, TLSv1.0, or TLSv1.1.

Solution

Customers on any Microsoft Windows Server distribution can guarantee the security of their Strategy traffic by configuring the operating system-level security policies through the system registry. The system registry can be configured manually by following the official Microsoft Schannel Configuration Documentation, or by using a 3rd Party tool called IIS Crypto1*.
To learn more about IIS Crypto, use the following resources:

• Microsoft Schannel Configuration Documentation
• IIS Crypto Website
• IIS Crypto EULA 

Using IIS Crypto to Configure Network Security Policies

IIS Crypto is a tool that allows System Administrators to configure operating system-level network security policies including allowing and disallowing particular versions of SSL and TLS, as well as controlling Windows' use of hashing and cipher algorithms.
The following steps cover how to use IIS Crypto to properly configure your Windows Server to create the strongest level of transport-level security for your Strategy Enterprise Installation.

• From your Windows Server, follow the link to the IIS Crypto Website. On the main page, click the Download button to get the latest version of the IIS Crypto executable file.
• Once the download is complete, proceed to your download folder to start running IIS Crypto. Administrative privileges are required, and there is no installation process needed.
• Using the IIS Crypto Tool Interface, configure your Server in the following way. An image of this configuration is available following the steps:
  
1. Under Server Protocols, allow only TLS 1.2.
2. Under Ciphers, allow:
   
• AES 128/128
• AES 256/256
3. Under Hashes, allow:
   
• SHA 256
• SHA 384
• SHA 512
4. Under Key Exchanges, allow only ECDH.
5. Under Client Protocols, allow:
   
• TLS 1.0
• TLS 1.1
• TLS 1.2

• Once configured, you will need to reboot your machine for the changes to take effect. Select the Reboot checkbox and click Apply.
  Once your system has completed rebooting, it will be configured with the latest recommended security practices for your Strategy Intelligence Server.
  

*Copyright (c) 2011-2019 Nartac Software Inc.