Azure 备份中的传输层安全性Transport Layer Security in Azure Backup

传输层安全性 (TLS) 是在通过网络传输数据时保护数据安全的加密协议。Transport Layer Security (TLS) is an encryption protocol that keeps data secure when being transferred over a network. Azure 备份使用传输层安全性来保护正在传输的备份数据的隐私。Azure Backup uses transport layer security to protect the privacy of backup data being transferred. 本文介绍了启用 TLS 1.2 协议的步骤,该协议提供了比以前版本更高的安全性。This article describes steps to enable the TLS 1.2 protocol, which provides improved security over previous versions.

早期版本的 WindowsEarlier versions of Windows

如果计算机运行的是早期版本的 Windows,则必须安装下述相应更新,并且必须应用知识库文章中介绍的注册表更改。If the machine is running earlier versions of Windows, the corresponding updates noted below must be installed and the registry changes documented in the KB articles must be applied.

操作系统Operating system 知识库文章KB article
Windows Server 2008 SP2Windows Server 2008 SP2 https://support.microsoft.com/help/4019276
Windows Server 2008 R2、Windows 7、Windows Server 2012Windows Server 2008 R2, Windows 7, Windows Server 2012 https://support.microsoft.com/help/3140245

备注

该更新将安装所需协议组件。The update will install the required protocol components. 安装完成后,必须进行上述知识库文章中提到的注册表项更改,以正确启用所需协议。After installation, you must make the registry key changes mentioned in the KB articles above to properly enable the required protocols.

验证 Windows 注册表Verify Windows registry

配置 SChannel 协议Configuring SChannel protocols

以下注册表项确保在 SChannel 组件级别启用 TLS 1.2 协议:The following registry keys ensure that the TLS 1.2 protocol is enabled at the SChannel component level:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
    "Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
    "DisabledByDefault"=dword:00000000

备注

显示的值在 Windows Server 2012 R2 及更高版本中是默认设置的。The values shown are set by default in Windows Server 2012 R2 and newer versions. 对于这些版本的 Windows,如果注册表项不存在,则无需创建它们。For these versions of Windows, if the registry keys are absent, they don't need to be created.

配置 .NET FrameworkConfiguring .NET Framework

以下注册表项将 .NET Framework 配置为支持强加密。The following registry keys configure .NET Framework to support strong cryptography. 可以在此处详细了解如何配置 .NET FrameworkYou can read more about configuring .NET Framework here.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
    "SystemDefaultTlsVersions"=dword:00000001
    "SchUseStrongCrypto" = dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319]
    "SystemDefaultTlsVersions"=dword:00000001
    "SchUseStrongCrypto" = dword:00000001

常见问题Frequently asked questions

为什么启用 TLS 1.2?Why enable TLS 1.2?

TLS 1.2 比以前的加密协议(如 SSL 2.0、SSL 3.0、TLS 1.0 和 TLS 1.1)更安全。TLS 1.2 is more secure than previous cryptographic protocols such as SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.1. Azure 备份服务已完全支持 TLS 1.2。Azure Backup services already fully support TLS 1.2.

什么因素决定所使用的加密协议?What determines the encryption protocol used?

客户端和服务器都支持的最高协议版本会通过协商确定,以便建立加密会话。The highest protocol version supported by both the client and server is negotiated to establish the encrypted conversation. 有关 TLS 握手协议的详细信息,请参阅通过使用 TLS 建立安全会话For more information on the TLS handshake protocol, see Establishing a Secure Session by using TLS.

未启用 TLS 1.2 会有什么影响?What is the impact of not enabling TLS 1.2?

为了更好地防御协议降级攻击,Azure 备份将以分阶段的方式开始禁用早于 1.2 的 TLS 版本。For improved security from protocol downgrade attacks, Azure Backup is beginning to disable TLS versions older than 1.2 in a phased manner. 这是为了禁止旧协议和密码套件连接而在服务间进行的长期转换过程的一部分。This is part of a long-term shift across services to disallow legacy protocol and cipher suite connections. Azure 备份服务和组件完全支持 TLS 1.2。Azure Backup services and components fully support TLS 1.2. 但是,缺少所需更新或某些自定义配置的 Windows 版本仍会阻止提供 TLS 1.2 协议。However, Windows versions lacking required updates or certain customized configurations can still prevent TLS 1.2 protocols being offered. 这可能会导致失败,其中包括但不限于以下一种或多种情况:This can cause failures including but not limited to one or more of the following:

  • 备份和还原操作可能会失败。Backup and restore operations may fail.
  • 备份组件连接失败,出现错误 10054(远程主机强行关闭了现有的连接)。Backup components connections failures with error 10054 (An existing connection was forcibly closed by the remote host).
  • 与 Azure 备份相关的服务无法正常停止或启动。Services related to Azure Backup won't stop or start as usual.

其他资源Additional resources