Microsoft Excel, TLS & SQL Server – Important Considerations
As you may know, TLS 1.0 is being deprecated due to various known exploits and will no longer be PCI compliant as of June 30th, 2018 (see PCI DSS v3.1 and SSL: What you should do NOW below). You may also know that Microsoft has provided TLS 1.1/1.2 patches for the SQL Server Database Engine (2008+) as well as the client connectivity components (see TLS 1.2 support for Microsoft SQL Server below). What you may NOT know is that there is a popular feature in Excel to import data from SQL Server. See the screen print below from Excel 2016.
The problem with this feature lies in the fact that this menu option will, by default, leverage SQLOLEDB.1 as the OLE DB provider when connecting to SQL Server. This provider is an older MDAC/WDAC provider (see Data Access Technologies Road Map below) that comes built into the Operating System (including Windows 10) but DOES NOT support TLS 1.1+. So, if you have SQL Servers that have TLS 1.0 Server disabled, you will no longer be able to use this feature. You will receive an error similar to the one below. You will also receive the same or similar error if you have existing workbooks that use this feature and attempt to refresh those workbooks.
[DBNETLIB][ConnectionOpen (SECDoClientHandshake()).]SSL Security error
So, how do you address this? There are several alternatives depending on your situation. Here are some guidelines:
- For all NEW workbooks, do not use that menu option. Instead use the "From Data Connection Wizard" and select a compliant driver from the list. A requirement is that you have the SQL Native Client (2008 or 2012) or ODBC drivers with appropriate patches per TLS 1.2 support for Microsoft SQL Server below.
- For existing Workbooks, you will need to apply the appropriate SQL Server Native Client per TLS 1.2 support for Microsoft SQL Server and then change the connection properties by replacing SQLOLEDB.1 with SQLNCLI10 or SQLNCLI11depending on the version of SQL Native Client you installed.
The good news is that future versions of Excel (post 2016) will be moving this menu to a separate "Legacy Wizards" section as seen below, so it should become less of an issue.
A couple more areas to consider when disabling TLS 1.0 Server on your SQL Servers.
- First, for Excel, check those workbooks that leverage VBA code and database connectivity. The code in those workbooks will likely need to be adjusted accordingly to leverage SQL Native Client or ODBC with the appropriate patch.
- Microsoft Access can/will also use the older ODBC drivers built into the operating system, so make sure to check Access databases as well.
Here are some additional resources and references.
Additional Resources & References:
- PCI DSS v3.1 and SSL: What you should do NOW - https://www.pcicomplianceguide.org/pci-dss-v3-1-and-ssl-what-you-should-do-now/
- TLS 1.2 support for Microsoft SQL Server - https://support.microsoft.com/en-us/help/3135244/tls-1-2-support-for-microsoft-sql-server
- TLS Support At Microsoft - https://blogs.microsoft.com/microsoftsecure/2017/06/20/tls-1-2-support-at-microsoft/
- Data Access Technologies Road Map - https://msdn.microsoft.com/library/ms810810.aspx