To address TLS 1.0 and TLS 1.1 vulnerabilities on Windows Server, the recommended fix is to disable these deprecated protocols system-wide, as they are susceptible to attacks like POODLE and are no longer considered secure by modern standards (e.g., PCI DSS compliance requires their disablement).
This forces the use of TLS 1.2 or higher. These changes apply to the Schannel security support provider, which handles TLS/SSL for the OS, including services like IIS.
Important warnings:
• Test in a non-production environment first, as disabling these protocols can break connectivity with legacy clients or applications that only support TLS 1.0/1.1.
• Back up the registry before editing (via regedit > File > Export).
• Ensure all clients and applications can use TLS 1.2+.
• Restart the server after changes for them to take effect.
Method 1: Manual Registry Edit (Recommended for Single Servers)
Use the Registry Editor (regedit.exe) to configure the protocols. Navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
For each protocol (TLS 1.0 and TLS 1.1), create the subkeys if they don’t exist, and set the following DWORD (32-bit) values under both the Client and Server subkeys:
Disable TLS 1.0
• Create key: TLS 1.0\Client
• Enabled = 0 (DWORD)
• DisabledByDefault = 1 (DWORD)
• Create key: TLS 1.0\Server
• Enabled = 0 (DWORD)
• DisabledByDefault = 1 (DWORD)
Disable TLS 1.1
• Create key: TLS 1.1\Client
• Enabled = 0 (DWORD)
• DisabledByDefault = 1 (DWORD)
• Create key: TLS 1.1\Server
• Enabled = 0 (DWORD)
• DisabledByDefault = 1 (DWORD)
Ensure TLS 1.2 is Enabled (Optional but Recommended)
• Under TLS 1.2\Client and TLS 1.2\Server:
• Enabled = 1 (DWORD)
• DisabledByDefault = 0 (DWORD)
After editing, restart the server.
Method 2: Via Group Policy (For Domain Environments)
If managing multiple servers via Active Directory:
1. Open Group Policy Management Console (gpmc.msc).
2. Edit a Group Policy Object applied to your servers.
3. Navigate to: Computer Configuration > Administrative Templates > Network > SSL Configuration Settings > SSL Cipher Suite Order.
4. Enable the policy and configure the cipher suite order to exclude TLS 1.0/1.1 ciphers (focus on TLS 1.2+).
5. For direct protocol control, use the registry-based GPO: Under Computer Configuration > Preferences > Windows Settings > Registry, create the keys/values as in Method 1.
6. Apply the GPO and run gpupdate /force on target servers, then restart.
This method is ideal for scalability.
For IIS-Specific Configuration
The above registry changes apply to IIS automatically, as it uses Schannel. After changes:
• Restart IIS: Run iisreset in an elevated Command Prompt.
• If hosting sites, verify bindings in IIS Manager and test with tools like SSL Labs’ SSL Test.
Verification
• Use PowerShell: Get-TlsCipherSuite | Select-Object Name to list enabled suites (ensure no TLS 1.0/1.1).
• External scan: Use online tools like Qualys SSL Labs or nmap (nmap --script ssl-enum-ciphers -p 443 yourserver.com).
• Check Event Viewer (Windows Logs > System) for Schannel errors post-restart.
If issues arise (e.g., broken apps), revert by deleting the added registry keys/values or setting Enabled=1 and DisabledByDefault=0. For Windows Server 2022+, TLS 1.0/1.1 are disabled by default in some scenarios due to deprecation. Consult Microsoft support for version-specific nuances.