PCI Compliance Requirements

We currently have the Duo Access Gateway installed in our environment and are also required to meet PC compliance. Our latest scan lists the following issues with the DAG. I have not been able to find any discussion around this and was hoping to get some feedback from the community.

TLS Version 1.0 Protocol Detection (PCI DSS)
SSL Medium Strength Cipher Suites Supported (SWEET32)
SSL 64-bit Block Size Cipher Suites Supported (SWEET32)

Thanks,

Hello,

I am only familiar with administrating DAG systems running on the Windows Server 2016 platform.

If your DAG systems are not joined to the domain then you will have to manually configure the TLS and Cipher Suites supported by the system.

If your systems are Windows, I would recommend disabling TLS 1.0 and TLS 1.1 via the registry (which will require a system restart).

Here is a Microsoft article on how to do that:

Similarly, you can disable the ciphers suites via registry configuration as well, the above article contains a link to do so.

If you don’t like modifying the registry, there is a useful tool made by Nartac Software called IIS Crypto that provides a user-friendly GUI to modify security protocols used by the system including TLS, Hashes, Key Exchange, and Ciphers.

IIS Crypto can be acquired here:
https://www.nartac.com/Products/IISCrypto/

To mitigate SWEET32, you can use IIS Crypto to disable the following:
-Disable ciphers suites using less than 128 bit
-Disable cipher suites using 3DES

Best of luck,

mheim

I too am encountering a similar TLS issue with Duo for RDS. I am able to lock the server down to TLS 1.2 and RD Gateway works, but the RD Web fails. Based on my testing, RD Web only passes traffic successfully if TLS 1.0 is enabled on the server.

My test server is Server 2019. When I allow TLS 1.0, The RD Web 2FA works as expected – providing the expected prompt to perform a Duo push, call, or passcode. However, if I disable TLS 1.0, I find 14 System event 36871 – Schannel events within a couple of seconds. Also, I see a delay after entering credentials on the RD Web page (corresponding to the delay, as the API fails to connect). I’ve watched DNS queries, and confirmed the query to the API hostname is correct. With TLS 1.0 disabled, the Windows event log states: “A fatal error occurred while creating a TLS client credential. The internal error state is 10013.”

I can reproduce this error consistently – with TLS 1.0 enabled the RD Web 2FA works, without TLS 1.0, the 2FA prompt does not appear and the login completes (client set to bypass if not able to contact Duo)

Regards
-Alex