Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Microsoft System Center Data Protection Manager Cookbook

You're reading from   Microsoft System Center Data Protection Manager Cookbook Maximize storage efficiency, performance, and security using System Center LTSC and SAC releases

Arrow left icon
Product type Paperback
Published in Dec 2018
Publisher
ISBN-13 9781787289284
Length 424 pages
Edition 1st Edition
Languages
Arrow right icon
Authors (2):
Arrow left icon
Patrick Lownds Patrick Lownds
Author Profile Icon Patrick Lownds
Patrick Lownds
Charbel Nemnom Charbel Nemnom
Author Profile Icon Charbel Nemnom
Charbel Nemnom
Arrow right icon
View More author details
Toc

Table of Contents (12) Chapters Close

Preface 1. Installing and Upgrading DPM FREE CHAPTER 2. DPM Post-Installation and Management Tasks 3. Protecting Hyper-V VMs 4. Monitoring DPM and Configuring Role-Based Access 5. Protecting Microsoft Workloads with DPM 6. Securing Windows Client with DPM 7. Protecting Microsoft Azure Stack with DPM 8. Protecting Workgroups and Untrusted Domains 9. Recovering Data from Backup 10. Integrating DPM with Azure Backup 11. Other Books You May Enjoy

Enabling the Transport Layer Security 1.2 protocol for DPM

This recipe will cover how to enable the Transport Layer Security (TLS) protocol version 1.2 for the DPM Management server.

Getting ready

TLS is a protocol that provides privacy and data integrity between two communicating applications. In this case, this is between DPM server and protected servers. TLS is the most widely deployed security protocol used today.

Several known vulnerabilities have been reported against SSL and earlier versions of TLS. Microsoft recommend that you upgrade to TLS 1.2 for secure communication.

To enable TLS protocol version 1.2 in your DPM environment, you need to perform the following steps:

  1. Install all of the required updates.
  2. Make sure that the DPM setup is functional as it was before applying the updates (for example, you can check if you are able to launch the DPM console).
  3. Change the configuration settings to enable TLS 1.2.
  1. Ensure that all required SQL Server services are up and running.
  2. Finally, validate the protection and recovery process.

How to do it...

To enable TLS protocol version 1.2, follow these steps:

  1. Make sure that you are running Windows Server 2012 R2, Windows Server 2016, or Windows Server 2019 and that it is up-to-date with the latest security fixes.  
  2. Make sure that .NET version 4.6 is installed on all of your machines (DPM server, protected servers) .NET version 4.7 is supported on Windows Server 2019. You can use the following PowerShell command to determine whether .NET has been installed: Get-WindowsFeature NET*:
  1. For the DPM database and for all SQL Servers that you intend to protect with DPM, you need to make sure that you are running a SQL Server that supports TLS 1.2. You can  follow the instructions described here to find out whether you need this update: https://support.microsoft.com/en-in/help/3135244/tls-1-2-support-for-microsoft-sql-server.
  2. You need to make sure that SQL Server 2012 Native client 11.0 is installed on the DPM Management Server. You can verify whether SQL Native client 11.0 is installed by running the following PowerShell command on SQL Server: Get-odbcdriver -name "SQL Server Native Client*". You can download Microsoft SQL Server 2012 Native client 11.0 from the following link: https://www.microsoft.com/en-us/download/details.aspx?id=50402.
  1. Make sure that you are running a DPM server that supports TLS 1.2. Starting with DPM 2012 R2 Update Rollup 14, DPM 2016 Update Rollup 4 including DPM 1801, DPM 1807, DPM 2019, and DPM 1901, the DPM team added TLS version 1.2 support.
  2. System Center components now generate both SHA1 and SHA2 self-signed certificates. This is a requirement for enabling TLS1.2. If case CA signed certificates are used for workgroup machines or untrusted domains, please ensure that they are either SHA1 or SHA2. In other words, TLS 1.2 supports only SHA1 and SHA2 certificates. Hence, all of the certificates must be updated to be SHA1 or SHA2.
  3. You need to implement these settings on all of the Windows machines in the environment on which System Center Data Protection agent is installed, including the DPM management server. Follow these steps to disable all of the SCHANNEL protocols except TLS 1.2 system-wide so that only TLS 1.2 protocol is used for communication. Making these registry changes does not affect the use of Kerberos or NTLM protocols:
    1. Open the registry on your server(s) by running regedit in the run window and navigate to the following location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
    2. Add the SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1, and TLS 1.2 keys under Protocol.
    3. Now, create two keys called Client and Server under the SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1, and TLS 1.2 keys.
  4. Now create two REG_DWORD values under the Server and Client keys if you want to enable the TLS 1.2 protocol: set the DisabledByDefault value to 0 and the Enabled value to 1. You will now have something that looks as follows:

  1. If you want to disable the protocol, you can set the DisabledByDefault value to 1 and the Enabled value to 0.
  2. After we have enabled the TLS 1.2 protocol on all systems, we need to set DPM to use only TLS 1.2. The following settings should be implemented on the DPM management server and all other servers on which DPM agents are installed, that is, Hyper-V hosts, File Server, SQL, Exchange, SharePoint, and so on. Follow these steps to create these settings:
    1. Open the registry on your server by running regedit in the run window and navigate to the following location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.3031.
    2. Now, create the REG_DWORD value under the registry: SchUseStrongCrypto [Value = 1].
    3. Navigate to the following registry location: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319.
    4. Now, create the same REG_DWORD value under the preceding registry as well: SchUseStrongCrypto [Value = 1].
  3. Finally, you need to restart the system (DPM server and the protected server).

How it works...

For all kinds of workloads backed up by DPM TLS 1.2 enabled (that is, SQL, SharePoint, Exchange, File Servers, Hyper-V hosts, Hyper-V VMs, VMWare VMs, Clients, System State, and BMR), you can do the following:

  1. Attach the Protected Server in the workgroup/untrusted domain to DPM.
  2. While Creating Protection Groups, all data sources on the protected server will be displayed.
  3. Protect different kinds of workloads to disk, to tape, and to the cloud.
  4. Recover the different kinds of workloads at the Original Location, Alternate Location, recover cloud recovery points, and use an External DPM server.
Please note that VMware VM backup is not supported when DPM TLS 1.2 is enabled.

There's more...

There are two scenarios that are impacted when using TLS 1.2 with DPM:

Using certificate-based authentication to protect servers in a workgroup or untrusted domain

The DPM agent can be installed on the protected server either directly from the DPM server for the servers in the domain, or using certificate-based authentication for computers in a workgroup or untrusted domain. Please refer to Chapter 8, Protecting Workgroups and Untrusted Domains. DPM uses elements of the .NET Framework on the protected server to communicate if certificate-based authentication is used. TLS 1.2 needs .NET 4.5 or above. Since DPM is built with .NET 4.0—which does not support TLS 1.2 directly—when DPM tries to communicate with the protected servers, establishing the connection will fail.

Protecting workloads on the cloud using DPM

DPM requires a MARS agent to back up data to the cloud. The MARS agent also leverages the .NET Framework, and changes need to be made on the DPM server to ensure that the backups continue smoothly when TLS 1.2 is enabled. Check out https://support.microsoft.com/en-ie/help/4022913/how-to-resolve-azure-backup-agent-issues-when-disabling-tls-1-0-for-pc to resolve Azure Backup agent issues when enabling TLS 1.2.

For more information about Azure Backup, please check Chapter 10, Integrating DPM with Azure Backup.

See also

You have been reading a chapter from
Microsoft System Center Data Protection Manager Cookbook
Published in: Dec 2018
Publisher:
ISBN-13: 9781787289284
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image