How to Disable TLS 1.0, 1.1 and SSL on Your Windows Server

The internet moves on and the next big thing that gets dropped is the support for older versions of TLS (Transport Layer Security). If you not already have done so, now would be a good time to check that your server understands TLS 1.2 and disable the older versions of TLS on your web servers.

A few months back I did a write-up on how to do get TLS 1.2 on a Windows Server 2008 R2. The same commands and registry keys help you to get rid of the old protocols on newer versions of Windows Server as well.

A simple way to check the configuration of your server is to enter your domain into the SSL Server Test from Qualys. After a few minutes you should see a detailed report that shows you the health of your server. In the configuration section you find the supported protocols of your server (here TLS 1.0, 1.1 and 1.2 are active):

Old TLS versions still activedeactivate

When TLS 1.2 is active, you can safely disable all the other protocols. However, if TLS 1.2 is not active, you first need to activate it. Otherwise your users will no longer be able to connect to your web server.

Before you make any changes to the registry, you must make a backup. If something goes wrong, you can go back and do not need to reinstall your server.

You can copy these lines in a file ending with *.reg and execute it:Microsoft Registry

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
“DisabledByDefault”=dword:00000001
“Enabled”=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
“DisabledByDefault”=dword:00000001
“Enabled”=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
“DisabledByDefault”=dword:00000001
“Enabled”=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
“DisabledByDefault”=dword:00000001
“Enabled”=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
“DisabledByDefault”=dword:00000001
“Enabled”=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
“DisabledByDefault”=dword:00000001
“Enabled”=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
“DisabledByDefault”=dword:00000001
“Enabled”=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
“DisabledByDefault”=dword:00000001
“Enabled”=dword:00000000

If everything works you should get a success message at the end. To activate these changes, you now need to reboot your server.

As soon as your website is back up, you can rerun the SSL Server Test. If you get the exact same result back, you need to clear the cache by clicking on the link with that text right at the top. Now you should get a much better result and all the old protocols should be disabled:

Old TLS versions deactivated

With this little changes your Windows Server is now ready for the changes in the browsers that will rollout over the next weeks. Unfortunately, you cannot disable the old protocols on all your Windows Server. If you do so, some of your SQL Servers will no longer work. How to fix those problems will be the topic of next week’s post.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.