How to enforce TLS 1.2 and TLS 1.3 for Terminal Server

This article explains how to improve security by enforcing TLS 1.2 and TLS 1.3 for communication between the MFD and YSoft SafeQ. The older protocols will be disabled in progress.

Security Protocols in YSoft SafeQ Terminal Server

• Incoming connections use the security protocols allowed by the operating system. The Terminal Server binds to the lowest supported protocol.

• Outgoing connections depend on the operating system and .NET version and required version can be enforced by securityProtocolTypesForOutboundCommunication.

Cipher suites in YSoft SafeQ Terminal Server

• Outgoing connections are managed by Windows Schannel and .NET version and cannot be configured within YSoft SafeQ.

Steps to follow:

Important Notice
Misconfiguration or unintended changes may lead to serious security vulnerabilities or system instability.
If you are unsure about any step, proceed with caution and consult Microsoft or Y Soft technical support before making changes.

Before applying registry changes, consult with your domain administrator, as domain policies may override local settings.
Also, verify the TLS protocol support of the MFD with the device vendor to ensure compatibility.

1. To force Terminal Server to use TLS1.2 and TLS1.3 for outgoing connections (e.g. when connecting to the MFD):

   1. Go to YSoft SafeQ Management Interface > System Settings > Expert View.

   2. Set securityProtocolTypesForOutboundCommunication to: Tls12, Tls13

   3. Restart YSoft SafeQ services.

2. To force Terminal Server to allow only security protocol TLS1.2 and TLS1.3 for incoming connections it is necessary to update operating system configuration:

   1. Create TLS.reg file with the following content:

      TEXT

      Windows Registry Editor Version 5.00
      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
      "Enabled"=dword:00000000
      "DisabledByDefault"=dword:00000001
      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
      "Enabled"=dword:00000000
      "DisabledByDefault"=dword:00000001
      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
      "Enabled"=dword:00000000
      "DisabledByDefault"=dword:00000001
      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
      "Enabled"=dword:00000001
      "DisabledByDefault"=dword:00000000
      [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server]
      "Enabled"=dword:00000001
      "DisabledByDefault"=dword:00000000

   2. Double-click TLS.reg on the server with YSoft SafeQ Terminal Server and confirm the registry changes.

   3. Restart the server where the file was applied