We have tried to disable weak SSL/TLS protocols on a windows 2016 server by setting the corresonding registry keys as suggested here:
https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings#tls-10
We have created the following DWORDs:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000
After a restart of the server a scan like https://www.ssllabs.com/ssltest/index.html still reports that the server supports TLS 1.0 and 1.1. We have cleared the scan cache after the change, so it shouldn't be a cached result. I also get a 200 OK response by
Invoke-WebRequest https://MyServer -SslProtocol Tls
If I use a tool like IISCrypto it reports that the protocols are disabled.
Any ideas regarding why these protocols are not being disabled by the registry keys above are very welcome!
Best Answer
Is your server directly exposed to the internet? It's not a common practice anymore. Usually there is a load balancer or reverse proxy in front of it these days. If there is, that's what the SSL labs scan is hitting and that's where you need to disable TLS 1.0 and 1.1.