Setup TLS 1.2

Previous Setup No TCP Offload	Manual Install	Setup No SSL v3 Next

FineBuild can enable Transport Layer Security v1.2 (TLS 1.2). TLS 1.2 allows encyption of data between the host and the client, which can significantly improve security.

Security Compliance

Setup TLS 1.2 configuration helps to reduce the network surface area available for attack. If you install SQL 2008 or above and setup Security Compliance then Setup TLS 1.2 configuration will always be implemented. TLS 1.2 is not available for SQL 2005.

Group Policy Management

The Setup TLS 1.2 configuration can be enforced by Group Policy Management.

FineBuild Setup TLS 1.2

Processing of Setup TLS 1.2 relates to Process Id 1DG in the FineBuild1Preparation script, and is controlled by the parameters below:

Install Parameter	Build	SQL Version	Value
/SetupTLS12:	Any	SQL2005	N/A
/SetupTLS12:	FULL	SQL2008 and above	Yes
/SetupTLS12:	CLIENT	SQL2008 and above	Yes
/SetupTLS12:	WORKSTATION	SQL2008 and above	Yes

Top

Manual Setup TLS 1.2

The following steps show what you would have to do to setup Setup TLS 1.2 manually. FineBuild does all of this work for you automatically.

Do not attempt to setup TLS 1.2 if you are installing SQL 2005 or below, as this will prevent clients from connecting to SQL Server.

Open the Registry Editor by Start -> Run and type regedit
Navigate to HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client. If the registry key does not exist then create it.
Set the value of the DWORD item DisabledByDefault to 0 (zero). If it does not exist then create it
Set the value of the DWORD item Enabled to 1. If it does not exist then create it
Navigate to HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server. If the registry key does not exist then create it.
Set the value of the DWORD item DisabledByDefault to 0 (zero) and set the DWORD item Enabled to 1. If either value does not exist then create it