Deprecating Support for TLS 1.0 / 1.1 – Improving Encryption Strength and your Security Posture

TLS Background 

Transport Layer Security or TLS provides privacy and data integrity for applications communicating over the Internet. It can be used in many Internet services today such as VPN, Email Exchange, and most commonly, Web Services (HTTPS). There have been 2 released versions of Secure Sockets Layer (SSL) and 4 versions of TLS spanning the last 25 years of security advancements. Each successive release addresses security vulnerabilities or weaknesses in a prior release: 

  • SSLv2 documented in RFC 6176, released in 1995 
  • SSLv3 documented in RFC 6101, released in 1996  
  • TLS1.0 documented in RFC 2246, released in 1999 
  • TLS1.1 documented in RFC 4346, released in 2006 
  • TLS1.2 documented in RFC 5246, released in 2008 
  • TLS1.3 documented in RFC 8446, released in 2018 

Current TLS Support 

Our mission within Cisco Umbrella has always been to provide powerful security solutions that are easy to deploy and simple to manage. To maintain the simplicity for our customers and provide for the most backwards compatibility for those running legacy or unpatched operating systems, Cisco Umbrella has previously chosen to continue supporting all TLS Protocols 1.0 or later, deprecating only specific weak / insecure ciphers. 

What’s Changing? 

Cisco Umbrella will deprecate support for all TLS / SSL versions prior to version 1.2 on March 31st, 2020. After this date customers will be unable to connect without leveraging a TLS1.2 compatible client.   

Why change now?  

There are a few compelling events that caused us to re-evaluate our risk evaluation of TLS1.0 / 1.1.  

1 – Apple, Google, Microsoft, and Mozilla announced in October of 2018 that they will deprecate support for TLS1.1 and prior within their browsers, forcing all TLS communications to be TLS1.2 or higher on March 31st, 2020.   

2 – As of June 2018, the Payment Card Industry Security Standards Council (PCI-SSC) officially began enforcement of a new policy requiring any sites certified under PCI-DSS to deprecate TLS1.0 and any SSLv2/v3 configurations. While they will allow TLS1.1, there is a strong recommendation to implement only TLS1.2 and later protocols.   

 3 – As of 2014, the National Institute of Standards and Technology (NIST) formalized policy 800-52 which requires US Government Agencies to adopt TLS1.2 and deprecate use of TLS1.1 and before.    

Upon re-evaluation of the associated risks and certification landscape, Cisco determined that now is the time to complete deprecations for anything prior to TLS1.2. 

Source:
https://umbrella.cisco.com/blog/2019/09/06/deprecating-support-for-tls-1-0-1-1-improving-encryption-strength-and-your-security-posture/

Offline install of .NET Framework 3.5 in Windows 10 using DISM

You can use the Deployment Image Servicing and Management (DISM) command-line tool to create a modified image to deploy .NET Framework 3.5.

 Important

For images that will support more than one language, you must add .NET Framework 3.5 binaries before adding any language packs. This order ensures that .NET Framework 3.5 language resources are installed correctly in the reference image and available to users and applications.

Using DISM with Internet connectivity

Requirements

For an online reference image that can access Windows Update

  1. Open a command prompt with administrator user rights (Run as Administrator) in Windows 8 or Windows Server 2012.
  2. To Install .NET Framework 3.5 feature files from Windows Update, use the following command:
    DISM /Online /Enable-Feature /FeatureName:NetFx3 /All 
    

    Use /All to enable all parent features of the specified feature. For more information on DISM arguments, see Enable or Disable Windows Features Using DISM.

  3. On Windows 8 PCs, after installation .NET Framework 3.5 is displayed as enabled in Turn Windows features on or off in Control Panel. For Windows Server 2012 systems, feature installation state can be viewed in Server Manager.

For an offline reference image

  1. Run the following DISM command (image mounted to the c:\test\offline folder and the installation media in the D:\drive) to install .NET 3.5:
    DISM /Image:C:\test\offline /Enable-Feature /FeatureName:NetFx3 /All /LimitAccess /Source:D:\sources\sxs
    

    Use /All to enable all parent features of the specified feature.

    Use /LimitAccess to prevent DISM from contacting Windows Update/WSUS.

    Use /Source to specify the location of the files that are needed to restore the feature.

    To use DISM from an installation of the Windows ADK, locate the Windows ADK servicing folder and navigate to this directory. By default, DISM is installed at C:\Program Files (x86)\Windows Kits\8.0\Assessment and Deployment Kit\Deployment Tools\. You can install DISM and other deployment and imaging tools, such as Windows System Image Manager (Windows SIM), on another supported operating system from the Windows ADK. For information about DISM-supported platforms, see DISM Supported Platforms.

  2. Run the following command to look up the status of .NET Framework 3.5 (offline image mounted to c:\test\offline):
    DISM /Image:c:\test\offline /Get-Features /Format:Table
    

    A status of Enable Pending indicates that the image must be brought online to complete the installation.

Using DISM with no Internet connectivity

You can use DISM to add .NET Framework 3.5 and provide access to the \sources\SxS folder on the installation media to an installation of Windows that is not connected to the Internet.

 Warning

If you're not relying on Windows Update as the source for installing the .NET Framework 3.5, make sure to use sources from the same corresponding Windows operating system version. Using a source path that doesn't correspond to the same version of Windows won't prevent a mismatched version of .NET Framework 3.5 from being installed. This can cause the system to be in an unsupported and unserviceable state.

Requirements

  • Windows 8, Windows Server 2012, or the Windows ADK tools.
  • Installation media
  • Administrator user rights. The current user must be a member of the local Administrators group to add or remove Windows features.

Steps

  1. Open a command prompt with administrator user rights (Run as Administrator).
  2. To install .NET Framework 3.5 from installation media located on the D: drive, use the following command:
    DISM /Online /Enable-Feature /FeatureName:NetFx3 /All /LimitAccess /Source:d:\sources\sxs
    

    Use /All to enable all parent features of the specified feature.

    Use /LimitAccess to prevent DISM from contacting Windows Update/WSUS.

    Use /Source to specify the location of the files that are needed to restore the feature.

    For more information on DISM arguments, see Enable or Disable Windows Features Using DISM.

On Windows 8 PCs, after installation, .NET Framework 3.5 is displayed as enabled in Turn Windows features on or off in Control Panel.

 

Source:
https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/deploy-net-framework-35-by-using-deployment-image-servicing-and-management--dism

Full Download Offline installer:

Direct link to the .Net-3.5-Full-Setup

http://download.microsoft.com/download/6/0/f/60fc5854-3cb8-4892-b6db-bd4f42510f28/dotnetfx35.exe

Direct link to the .Net-3.5-SP1-Full-Setup

http://download.microsoft.com/download/2/0/e/20e90413-712f-438c-988e-fdaa79a8ac3d/dotnetfx35.exe