Disable TLS 1.0 and TLS 1.1 on Windows Server
Security

Disable TLS 1.0 and TLS 1.1 on Windows Server

In this article discuss about Disable TLS 1.0 and TLS 1.1 on Windows Server machines. Transport Layer Security protocol (TLS) 1.1 to be decommissioned this spring in support of an updated security protocol The NIH Information Security Program has directed eRA to decommission TLS 1.1 as a result of an updated cryptographic protocol being implemented.

The purpose of this post is to provide you with information about how to ensure the security of your infrastructure by enabling TLS 1.2 on your Windows Server.

Using TLS 1.2 or TLS 1.3, attackers will have difficulty eavesdropping on communications because of their resistance to man-in-the-middle attacks.

Transport Layer Security 1.3 simplifies the handshake process and removes unnecessary cryptographic overhead, which results in a faster connection time.

 

THREAT:

TLS can generate public and private key pairs using a variety of cyphers (algorithms). For instance, if TLSv1.0 employs the RC4 stream cypher or a block cypher in CBC mode. The biases in RC4 are well known, and the block cypher in CBC mode is vulnerable to the POODLE attack. TLSv1.0 includes a mechanism for a TLS implementation to downgrade the connection to SSL v3.0, thereby weakening security, if configured to use the same cypher suites as SSLv3.

IMPACT:

An attacker can use cryptographic flaws to launch man-in-the-middle attacks or decrypt communications. An attacker could, for example, force a downgrade from TLS to the older SSLv3.The POODLE vulnerability can be exploited to read secure communications or modify them maliciously if the protocol is Zero.

 

SOLUTION:

Due to several attacks found in recent years that put encrypted internet communications relying on the two protocols at risk, the Internet Engineering Task Force (IETF) has formally deprecated the TLS 1.0 and TLS 1.1 cryptographic protocols.

The IETF now recommends that all businesses, government agencies, and software developers use the two most recent versions of the TLS standard, TLS 1.2 and TLS 1.3, both of which are deemed secure connection.

 

Check TLS 1.0 and TLS 1.1 status on Windows

TLS 1.1 is used to encrypt traffic on the web server, but this protocol was deprecated by the US government in March 2021 due to concerns over security.

By using below syntax, we can check ssl/tls status. In order to execute we need to install openssl package in windows machine.

openssl s_client -connect ip:port -tls1

Step1:

Create a key on Windows Registry using PowerShell Command as mentioned below

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force

 

Output:

Hive: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2

Name        Property
----               --------
Server

 

As per above output we could see in Property TLS1.2 is not existing.

 

Procedure to enable TLS

As a part of prerequisite first Disable SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1 in Windows Registry

After disabling SSL2.0, SSL3.0, TLS1.0 and TLS1.1 reboot the machine. Now create a DWORD value as per below PowerShell command

New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' –PropertyType 'DWORD' -Name 'DisabledByDefault' -Value '0'

 

Output:

PS C:\Users\Administrator> New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -PropertyType 'DWORD' -Name 'DisabledByDefault' -Value '0'

DisabledByDefault : 0
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS
1.2\Server
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS
1.2
PSChildName : Server
PSDrive : HKLM
PSProvider : Microsoft.PowerShell.Core\Registry

 

Step2:

Enable the TLS1.2 as per below PowerShell command

New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' –PropertyType 'DWORD' -Name 'Enabled' -Value '1'

Output:

PS C:\Users\Administrator> New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -PropertyType 'DWORD' -Name 'Enabled' -Value '1'
Enabled : 1
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS
1.2\Server
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2
PSChildName : Server
PSDrive : HKLM
PSProvider : Microsoft.PowerShell.Core\Registry

 

Step3:

Create a key for TLS1.2 client version as per below PowerShell command

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force

Output

PS C:\Users\Administrator> New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force

Hive: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2

Name       Property
----         - -------
Client

 

Enable the TLS1.2 by adding DWORD (32-bit) value as shown below

 

New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' –PropertyType 'DWORD' -Name 'DisabledByDefault' -Value '0

Output

PS C:\Users\Administrator> New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -PropertyType 'DWORD' -Name 'DisabledByDefault' -Value '0'

DisabledByDefault : 0
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS
1.2\Client
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS
1.2
PSChildName : Client
PSDrive : HKLM
PSProvider : Microsoft.PowerShell.Core\Registry

 

Step4:

TLS 1.2 can be enabled by using the registry keys and values listed below

 

New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -PropertyType 'DWORD' -Name 'Enabled' -Value '1'

Output:

PS C:\Users\Administrator> New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -PropertyType 'DWORD' -Name 'Enabled' -Value '1'

Enabled : 1
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS
1.2\Client
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2
PSChildName : Client
PSDrive : HKLM
PSProvider : Microsoft.PowerShell.Core\Registry

You can double check the setting in Windows Registry by using below path you could find disable TLS 1.0 and TLS 1.1 settings

 Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\

 

Conclusion:

Successfully enabled Transport Layer Security (TLS) 1.2 and disable TLS 1.0 and TLS 1.1 in windows server operating system. This procedure is similar to all kind of windows server operating system.

Thanks for reading this article. I hope you find it useful. If you have a question about the disable TLS 1.0 and TLS 1.1 topic let me know.

Next PostInstall OpenSSL on Windows Platform Previous PostWeak SSL/TLS Key Exchange in Windows

Leave a Reply

Your email address will not be published. Required fields are marked *