search

HotCakeX / Harden-Windows-Security

Harden Windows Safely, Securely using Official Supported Microsoft methods and proper explanation | Always up-to-date and works with the latest build of Windows | Provides tools and Guides for Personal, Enterprise, Government and Military security levels | Read The Rationale https://github.com/HotCakeX/Harden-Windows-Security/blob/main/Rationale.md
https://hotcakex.github.io
MIT License
1.37k stars 107 forks source link

TLS Security - Break Macrium Reflect "Check for update" - connection time out when TLS security is enabled #247

Closed toddw121 closed 2 months ago

toddw121 commented 2 months ago

Tools category

Harden Windows Security Module

Does your system meet the requirements?

Is your Windows installation genuine?

Please explain the bug

After applying the TLS security section, after reboot, unable to check for update of Macrium Reflect software (latest version, purchased). Removing TLS security, Macrium Reflect update check works as expected.

HotCakeX commented 2 months ago

Hi, It's not a bug, it just means "Macrium Reflect" is using insecure and old TLS cipher suites/algorithms. You should contact them and let them know about it, preferably after finding out which one it depends on exactly.

The TLS category simply disables support for insecure cipher suites in the OS, as explained on the readme.

HotCakeX commented 2 months ago

For example, these cipher suites are disabled and reason for them is mentioned

TLS_RSA_WITH_AES_256_CBC_SHA  Reason: NO Perfect Forward Secrecy, CBC, SHA1
TLS_RSA_WITH_AES_128_CBC_SHA  Reason: NO Perfect Forward Secrecy, CBC, SHA1
TLS_RSA_WITH_AES_128_GCM_SHA256  Reason: NO Perfect Forward Secrecy
TLS_RSA_WITH_AES_256_GCM_SHA384  Reason: NO Perfect Forward Secrecy
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA  Reason: CBC, SHA1
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA  Reason: CBC, SHA1

The full list is available here https://learn.microsoft.com/en-us/windows/win32/secauthn/tls-cipher-suites-in-windows-11-v22h2

You can remove the group policy for TLS, and then use this cmdlet https://learn.microsoft.com/en-us/powershell/module/tls/enable-tlsciphersuite

to enable the cipher suites in that list one by one, and see which one will allow the updater work, then you will find the problem.


All of the secure cipher suites in that list are in the allowed lists of TLS in the script, so anything that is not in the list is insecure.

Some more resources

https://scanigma.com/knowledge-basehttps://scanigma.com/knowledge-base

https://developers.cloudflare.com/ssl/reference/cipher-suites/recommendations/

toddw121 commented 2 months ago

Fair enough.

I'll work with Macrium support.

From: Violet @.> Sent: Saturday, May 4, 2024 8:37:04 PM To: HotCakeX/Harden-Windows-Security @.> Cc: toddw121 @.>; Author @.> Subject: Re: [HotCakeX/Harden-Windows-Security] TLS Security - Break Macrium Reflect "Check for update" - connection time out when TLS security is enabled (Issue #247)

Hi, It's not a bug, it just means "Macrium Reflect" is using insecure and old TLS cipher suites/algorithms. You should contact them and let them know about it, preferably after finding out which one it depends on exactly.

The TLS category simply disables support for insecure cipher suites in the OS, as explained on the readme.

— Reply to this email directly, view it on GitHubhttps://github.com/HotCakeX/Harden-Windows-Security/issues/247#issuecomment-2094113672, or unsubscribehttps://github.com/notifications/unsubscribe-auth/BDXHWR4RVO3EVCFIUGYBWG3ZAS25BAVCNFSM6AAAAABHGWKUZ6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAOJUGEYTGNRXGI. You are receiving this because you authored the thread.Message ID: @.***>

HotCakeX commented 2 months ago

@toddw121 If you want i can do the debugging for you so you will know exactly which cipher suite it depends on, but it's gonna take some time, a day or two max.

toddw121 commented 2 months ago

Thanks for the offer, I can take care of that.

I can let you know what I find out if you want.

Respectfully

From: Violet @.> Sent: Saturday, May 4, 2024 8:52:56 PM To: HotCakeX/Harden-Windows-Security @.> Cc: toddw121 @.>; Mention @.> Subject: Re: [HotCakeX/Harden-Windows-Security] TLS Security - Break Macrium Reflect "Check for update" - connection time out when TLS security is enabled (Issue #247)

@toddw121https://github.com/toddw121 If you want i can do the debugging for you so you will know exactly which cipher suite it depends on, but it's gonna take some time, a day or two max.

— Reply to this email directly, view it on GitHubhttps://github.com/HotCakeX/Harden-Windows-Security/issues/247#issuecomment-2094118300, or unsubscribehttps://github.com/notifications/unsubscribe-auth/BDXHWR755PO57FHPVLZCRQLZAS4YRAVCNFSM6AAAAABHGWKUZ6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAOJUGEYTQMZQGA. You are receiving this because you were mentioned.Message ID: @.***>

HotCakeX commented 2 months ago

Alright, sounds good :)

toddw121 commented 2 months ago

Unfortunately, after troubleshooting/debug, I wasn't able to get Macrium Reflect Updater to connect successfully.

Troubleshooting/debug steps completed.

With TLS module settings enabled, updated registry using data from the Macrium Reflect Knowledgebase article at <https://forum.macrium.com/68498/Internet-connection-timed-out-error-from-updater>

As this didn't work, I removed the key that was added.

Used the cmdlet from the link provided to add "insecure" cyphers, one by one with a reboot after each addition.

Unless you really want to find out what is going on, please don't spend more time on this. It is an issue with the Macrium software, and they need to fix it. I hesitate to open a ticket with them, as I fear they will just say "stop doing that", or "it may be fixed in the next major update".

For now, I'll "skip" the TLS section and rely on the TLS "exceptions" included in the Edge section of the script. That fits my use case.

Thanks for your time and excellent work on the hardening script.

Regards

From: Violet @.> Sent: Saturday, May 4, 2024 20:57 To: HotCakeX/Harden-Windows-Security @.> Cc: toddw121 @.>; Mention @.> Subject: Re: [HotCakeX/Harden-Windows-Security] TLS Security - Break Macrium Reflect "Check for update" - connection time out when TLS security is enabled (Issue #247)

Alright, sounds good :)

- Reply to this email directly, view it on GitHubhttps://github.com/HotCakeX/Harden-Windows-Security/issues/247#issuecomment-2094119118, or unsubscribehttps://github.com/notifications/unsubscribe-auth/BDXHWR2JWZLY4UPAOMSVMMDZAS5F7AVCNFSM6AAAAABHGWKUZ6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAOJUGEYTSMJRHA. You are receiving this because you were mentioned.Message ID: @.**@.>>

HotCakeX commented 2 months ago

Thanks for letting me know and trying it. Hope you removed the group policy for TLS category first before using the cmdlets, because the group policy would automatically restore the TLS settings to the ones that the module configured, after each restart.

if it's not about cipher suites then it might be related to TLS 1 and 1.1 being disabled. Those TLS versions are disabled by default in Edge browser, and in Windows 11 24H2.

either way you're right, Macrium Reflect should review and update their connection protocols used in their updater system.

I'll go ahead and close this for now, please feel free to reopen or open new issues whenever you find something else.