Currently SSL Labs suggests that the SSL RC4 ciphers are weak, and that to still mitigate the BEAST attack in older clients, TLS 1.0 can be turned off.
I have read threads that state that MS SQL server had issues when SSL 3.0 and TLS 1.0 were turned off, and also that turning off TLS 1.0 would break Remote Desktop (which this thread seems to state requires TLS 1.0 and RC4 ciphers: https://msdn.microsoft.com/en-us/library/aa383015%28v=vs.85%29.aspx )
Also see:
- https://technet.microsoft.com/en-us/magazine/ff458357.aspx and
- https://social.technet.microsoft.com/Forums/en-US/e2b22dad-bb0c-4059-beec-6673783ab777/remote-desktop-stopped-working-after-disabling-ssl-20-and-tls-10
Is there a way to have a Windows Server 2012, which is fully patched, rely on a greater TLS versions than 1.0 and the GCM (or another) cipher for Remote Desktop? Same question also for MS SQL?
If the answer is that TLS 1.0 and RC4 must be turned on for Network Layer Authentication in Remote Desktop Services, can you propose a best practice cipher order that would score fairly high on ssl labs?
Can SSL3.0 and TLS 1.0 be turned off, and still have MS SQL 2012 start (not configured to use SSL connections/sql ssl certificate)?
Thank you for any input you are able to give.