Windows – How to disable TLS 1.0 in Windows Server 2012R2

windowswindows-server-2012-r2

I have disabled SSL 2.0 and SSL 3.0 in Windows 2012R2 server by going into HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\ and adding entries as shown in the attachment. It is working perfectly fine.

However, it is not the case when am trying to disable TLS 1.0. If I add entries similar to what I have done for SSL 2.0, SSL 3.0, it blocks the port 443. I am not able to get my head around this.

Pictures:
TLS 1.0 – Client Key settings
TLS 1.0 – Server Key settings

Nmap result with TLS 1.0 in the registry:

nnmap -p 443 –script ssl-enum-ciphers operational-assessment.int.net.xyz.com

Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-02 23:08 India Standard Time

Nmap scan report for operational-assessment.int.net.xyz.com (10.x.x.x)
Host is up (0.040s latency).

PORT    STATE  SERVICE
443/tcp closed https
MAC Address: 00:11:22:33:44:55 (Cimsys)

Nmap done: 1 IP address (1 host up) scanned in 2.23 seconds

But When I delete the TLS 1.0 entry from the registry, It works fine and says that TLS1.0 is enabled.

NMAP result without TLS1.0 in the registry:

nnmap -p 443 –script ssl-enum-ciphers operational-assessment.int.net.xyz.com

Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-02 22:40 India Standard Time
Nmap scan report for operational-assessment.int.net.xyz.com (10.x.x.x)
Host is up (0.041s latency).

PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers: 
|   TLSv1.0: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
|       TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - C
|       TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - C
|     compressors: 
|       NULL
|     cipher preference: server
|     warnings: 
|       64-bit block cipher 3DES vulnerable to SWEET32 attack
|       Broken cipher RC4 is deprecated by RFC 7465
|       Ciphersuite uses MD5 for message integrity
|       Key exchange (dh 1024) of lower strength than certificate key

Please let me know if I am doing anything wrong. I have followed a handful of links and all of them suggest the way I have been following already.

Best Answer

I do not see DisabledByDefault key set in your screenshot for TLS 1.0 Server. You do have it in the TLS 1.0 Client. This means that incoming connections to the server could still respond using TLS 1.0.

Both DisabledByDefault = 1 and Enabled = 0 keys are required to close a protocol, as well as a system restart (depending upon application, some check the available protocols every time and some only check on start).

Before you shut off 1.0, please ensure that you either have TLS 1.1 or 1.2 enabled on both Client and Server or have console access to the machine (you do not have the registry structure for the higher protocols listed in your screenshots). Failure to enable before the disable will lock you out of remote connectivity.

Related Topic