Why is it important to set the minimum TLS version in SQL Server MI?

Written By SQLDBA-Experts Team

Transport Layer Security (TLS) is a cryptographic protocol to offer safe network communication. It protects the confidentiality, accuracy, and integrity of data sent between client and server programs. To avoid unwanted data manipulation or interception, TLS is used in SQL Server to encrypt the communication channel between the client and the server. 

When you try to connect a SQL Server database from a client, SQL Server uses the TDS protocol, which allows a client application and a SQL Server instance to exchange tabular data. TDS facilitates the transfer of result sets, information, and error messages in addition to a variety of SQL query, command, and response formats.

Within the TDS protocol, we have a TLS (Transport Layer Security) handshake, which essentially involves exchanging questions about the TLS version being used, among other things.

What makes TLS significant?

You can add an extra degree of protection to your SQL Server databases by configuring TLS to the most recent version (1.2). It is essential that you verify whether the program is compatible with the most recent version of TLS. The TLS settings cannot be changed once they are made. It's possible that certain older apps won't work with the most recent TLS version. Before stepping up to the most recent version (1.2), SQLDBA-Experts advises setting the lower version (1.0 or 1.1) and checking the application's access to the database.

Use the PowerShell commands listed below.

Get the Minimal TLS Version property:

(Get-AzSqlInstance -Name sql-instance-name -ResourceGroupName resource-group).MinimalTlsVersion

Update the Minimal TLS Version Property:

Set-AzSqlInstance -Name sql-instance-name -ResourceGroupName resource-group -MinimalTlsVersion "1.2"

Please note that there is additional processing complexity associated with implementing TLS 1.2 encryption on both the client and server sides. This may cause throughput to gradually decrease and latency to significantly rise, particularly for high-volume transactions. Nonetheless, the performance penalty is frequently negligible with modern technology and efficient implementations.

References:

Microsoft.com

SQLDBA-Experts Team
Next

SQL Server patches: Is GDR cumulative? Do the security patches need to be applied in order?