How to Disable TLS 1.0 and TLS 1.1 on Windows Server

Growing trends in cyber attacks made system administrators implement more secured communication protocols to protect their assets and network from attacks. TLS plays a vital role in the implementation stack. TLS is a critical security protocol that is used to encrypt communications between clients and servers. TLS 1.2 and TLS 1.3 are the two latest versions of the Transport Layer Security (TLS) protocol and offer many advantages over their previous versions. TLS 1.2 is the most widely used version of the TLS protocol, but TLS 1.3 is gaining popularity because of its effeciency and speed. As a system administrator, you should enable TLS 1.2 and TLS 1.3 on your Windows Server to enhance the security of your infrastructure, but wait, that’s not enough, you should disable TLS 1.0 and TLS 1.1 on Windows Server as they are deprecated for their week security.

Before learning how to disable TLS 1.0 and TLS 1.1 on your Windows Server, let’s see about TLS 1.0 and TLS 1.1 and why you should disable disable TLS 1.0 and TLS 1.1 on Windows Server.

A Short Note About TLS 1.0 and TLS 1.1:

The Transport Layer Security (TLS) protocols are cryptographic protocols that provide communication security over the Internet. TLS 1.0 and TLS 1.1 are the two previous versions of the TLS protocol.

TLS 1.0 was first defined in 1999, and TLS 1.1 was published as an update to TLS 1.0 in 2006. TLS 1.0 and TLS 1.1 are now considered to be obsolete, and they are no longer considered secure.

Why You Should Disable TLS 1.0 and TLS 1.1 on Windows Server?

There are a few reasons why you should disable TLS 1.0 and TLS 1.1 on Windows Server:

  1. TLS 1.0 and TLS 1.1 are no longer considered secure, due to the fact that they are vulnerable to various attacks, such as the POODLE attack.
  2. Disabling TLS 1.0 and TLS 1.1 on your server will force clients to use a more secure protocol (TLS 1.2), which is less vulnerable to attack.
  3. Some government agencies, such as the US National Security Agency (NSA), have recommended that TLS 1.0 and TLS 1.1 be disabled.
  4. Microsoft will no longer provide security updates for Windows Server running TLS 1.0 and TLS 1.1.
  5. Many major software vendors are phasing out support for TLS 1.0 and TLS 1.1. This includes Google, Microsoft, Mozilla, and Apple.

Attacks TLS 1.0 and TLS 1.1 are vulnerable to:

There are a number of known vulnerabilities in TLS 1.0 and TLS 1.1 that can be exploited by attackers. These include:

  1. POODLE (Padding Oracle On Downgraded Legacy Encryption)
  2. BEAST (Browser Exploit Against SSL/TLS)
  3. CRIME (Compression Ratio Info-leak Made Easy)
  4. FREAK (Factoring Attack on RSA-EXPORT Keys)
  5. LOGJAM (Diffie-Hellman Key Exchange Weakness)

These vulnerabilities allow attackers to perform man-in-the-middle attacks, decrypt sensitive information, and hijack user sessions. By disabling TLS 1.0 and TLS 1.1 on your Windows server, you can protect yourself from these attacks.

What is the Alternate to TLS 1.0 and TLS 1.1?

The current version of the TLS protocol is TLS 1.3. TLS 1.3 was first defined in 2018, and it includes a number of security improvements over previous versions of the TLS protocol. We suggest you to enable TLS 1.2 and TLS 1.3 on your Windows Server instead of TLS 1.0 and TLS 1.1.

TLS 1.2 improves upon TLS 1.1 by adding support for Elliptic Curve Cryptography (ECC) and introducing new cryptographic suites that offer better security than the suites used in TLS 1.1. TLS 1.3 improves upon TLS 1.2 by simplifying the handshake process and making it more resistant to man-in-the-middle attacks. In addition, TLS 1.3 introduces new cryptographic suites that offer better security than the suites used in TLS 1.2.

TLS 1.2 and TLS 1.3 are both backward compatible with TLS 1.1 and earlier versions of the protocol. This means that a client that supports TLS 1.2 can communicate with a server that supports TLS 1.1 and vice versa. However, TLS 1.2 and TLS 1.3 are not compatible with each other. A client that supports TLS 1.2 cannot communicate with a server that supports TLS 1.3, and vice versa.

TLS 1.2 is the most widely used version of the TLS protocol, but TLS 1.3 is gaining in popularity. Many major web browsers, including Google Chrome, Mozilla Firefox, and Microsoft Edge, now support TLS 1.3. In addition, major Internet service providers, such as Cloudflare and Akamai, have started to support TLS 1.3 on their servers. Please visit this page if you want to deeply review the comparison of TLS implementations across different supported servers and clients.

Please visit these posts to learn more about TLS 1.2 and TLS 1.3:

  1. What Is SSL/TLS? How SSL, TLS 1.2, And TLS 1.3 Differ From Each Other?
  2. Decoding TLS v1.2 protocol Handshake with Wireshark
  3. Decoding TLS 1.3 Protocol Handshake With Wireshark
  4. How to Enable TLS 1.3 in Standard Web Browsers?
  5. How to Enable TLS 1.3 on Popular Web Servers?
  6. How to Enable TLS 1.2 and TLS 1.3 on Windows Server

How to Disable TLS 1.0 and TLS 1.1 on Windows Server?

We have covered 3 different ways to disable TLS 1.2 and TLS 1.3 on your Windows Server in this post. You can choose any one of the three ways to disable TLS 1.2 and TLS 1.3 on your Windows Server depending on your technical and automation skills.

  1. Disable TLS 1.2 and TLS 1.3 manually using Registry
  2. Disable TLS 1.2 and TLS 1.3 using Powershell Commands
  3. Disable TLS 1.2 and TLS 1.3 using CMD

Note: Microsoft clearly said that it doesn’t supports TLS 1.0 and TLS 1.1 on Windows operating systems. No patches will be provided for TLS 1.0 and TLS 1.1 from Microsoft. You can refer to the below table that shows the Microsoft Schannel Provider support of TLS protocol versions.

TLS Protocols Supported by Windows Operating Systems:

Windows OS TLS 1.0 Client TLS 1.0 Server TLS 1.1 Client TLS 1.1 Server TLS 1.2 Client TLS 1.2 Server TLS 1.3 Client TLS 1.3 Server
Windows Vista/Windows Server 2008 Enabled Enabled Not supported Not supported Not supported Not supported Not supported Not supported
Windows Server 2008 with Service Pack 2 (SP2) Enabled Enabled Disabled Disabled Disabled Disabled Not supported Not supported
Windows 7/Windows Server 2008 R2 Enabled Enabled Disabled Disabled Disabled Disabled Not supported Not supported
Windows 8/Windows Server 2012 Enabled Enabled Enabled Enabled Enabled Enabled Not supported Not supported
Windows 8.1/Windows Server 2012 R2 Enabled Enabled Enabled Enabled Enabled Enabled Not supported Not supported
Windows 10, version 1507 Enabled Enabled Enabled Enabled Enabled Enabled Not supported Not supported
Windows 10, version 1511 Enabled Enabled Enabled Enabled Enabled Enabled Not supported Not supported
Windows 10, version 1607/Windows Server 2016 Standard Enabled Enabled Enabled Enabled Enabled Enabled Not supported Not supported
Windows 10, version 1703 Enabled Enabled Enabled Enabled Enabled Enabled Not supported Not supported
Windows 10, version 1709 Enabled Enabled Enabled Enabled Enabled Enabled Not supported Not supported
Windows 10, version 1803 Enabled Enabled Enabled Enabled Enabled Enabled Not supported Not supported
Windows 10, version 1809//Windows Server 2019 Enabled Enabled Enabled Enabled Enabled Enabled Not supported Not supported
Windows 10, version 1903 Enabled Enabled Enabled Enabled Enabled Enabled Not supported Not supported
Windows 10, version 1909 Enabled Enabled Enabled Enabled Enabled Enabled Not supported Not supported
Windows 10, version 2004 Enabled Enabled Enabled Enabled Enabled Enabled Not supported Not supported
Windows 10, version 20H2 Enabled Enabled Enabled Enabled Enabled Enabled Not Supported Not Supported
Windows 10, version 21H1 Enabled Enabled Enabled Enabled Enabled Enabled Not Supported Not Supported
Windows 10, version 21H2 Enabled Enabled Enabled Enabled Enabled Enabled Not Supported Not Supported
Windows Server 2022 Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled
Windows 11 Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled

Method 1 : Disable TLS 1.0 and TLS 1.1 manually using Registry

Let’s begin learning how to disable TLS 1.0 and TLS 1.1 manually using Windows Registry.

Time needed: 15 minutes.

  1. Open regedit utility

    Open ‘Run‘, type ‘regedit’ and click ‘OK’.

    Open regedit utility on Windows

  2. Create New Key

    In Registry Editor, navigate to the path : Computer/HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/SecurityProviders/SCHANNEL/Protocols.
    Create a new key by Right click on ‘Protocols‘ –> New –> Key.

    Create New Key on Windows

  3. Rename the Registry Key ‘TLS 1.0’

    Name key as ‘TLS 1.0
    Rename the registry key as ‘TLS 1.0‘.

    Rename the Registry Key 'TLS 1.0'

  4. Create One More Registry Key ‘Client’ underneath ‘TLS 1.0’

    As smiler to the above step, create another key as ‘Client‘ underneath ‘TLS 1.0‘ as shone in this picture.Create One More Registry Key 'Client' underneath 'TLS 1.0'

  5. Create New Item ‘DWORD (32-bit) Value’ Underneath ‘Client’

    Create new  item by right click on ‘Client‘, select ‘New’ –> DWORD (32-bit) Value.

    Create New Item 'DWORD (32-bit) Value' Underneath 'Client'

  6. Rename the Item ‘DWORD (32-bit) Value’ to ‘Enable’

    We Name the item as ‘Enabled‘ with Hexadecimal value as ‘0‘.

    Rename the Item 'DWORD (32-bit) Value' to 'Enable'

  7. Create another item, ‘DisabledByDefault’ Underneath TLS 1.0

    Similarly, create another item, ‘DisabledByDefault‘, with a Hexadecimal value as ‘1‘.

    Create another item, 'DisabledByDefault' Underneath TLS 1.0

  8. Create ‘Server’ and corresponding Keys as in the case of ‘Client’

    Similar to the above steps, create a key ‘Server‘ under ‘Protocols‘ and create registry items ‘DWORD (32-bit)’ and ‘Enabled’ as shown below.

    Create 'Server' and corresponding Keys as in the case of 'Client'

  9. Disable TLS 1.1 on the Windows Server

    Similar to the above steps, create a key ‘TLS 1.1’ under ‘Protocols‘ and below keys and items to Disable ‘TLS 1.1’

    > HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/SecurityProviders/SCHANNEL/Protocols/TLS 1.1/Client/Enabled with Hexadecimal value as ‘0’
    > HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/SecurityProviders/SCHANNEL/Protocols/TLS 1.1/Client/DisabledByDefault with Hexadecimal value as ‘1’

    > HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/SecurityProviders/SCHANNEL/Protocols/TLS 1.1/Server/Enabled with Hexadecimal value as ‘0’
    > HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/SecurityProviders/SCHANNEL/Protocols/TLS 1.1/Server/DisabledByDefault with Hexadecimal value as ‘1’

  10. Create 'Server' and corresponding Keys as in the case of 'Client' (1)

Method 2 : Disable TLS 1.0 and TLS 1.1 using Powershell commands

Follow this simple procedure to enable TLS 1.2 and TLS 1.2 using Powershell commands.

  1. Open Powershell as Administrator
Open Powershell as Administrator on Windows

2. Run the below commands to create Registry entries

- New-Item 'HKLM:/SYSTEM/CurrentControlSet/Control/SecurityProviders/SCHANNEL/Protocols/TLS 1.0/Server' -Force
- New-ItemProperty -Path 'HKLM:/SYSTEM/CurrentControlSet/Control/SecurityProviders/SCHANNEL/Protocols/TLS 1.0/Server' –PropertyType 'DWORD' -Name 'Enabled' -Value '0' 
- New-ItemProperty -Path 'HKLM:/SYSTEM/CurrentControlSet/Control/SecurityProviders/SCHANNEL/Protocols/TLS 1.0/Server' –PropertyType 'DWORD' -Name 'DisabledByDefault' -Value '1' 

- New-Item 'HKLM:/SYSTEM/CurrentControlSet/Control/SecurityProviders/SCHANNEL/Protocols/TLS 1.0/Client' -Force
- New-ItemProperty -Path 'HKLM:/SYSTEM/CurrentControlSet/Control/SecurityProviders/SCHANNEL/Protocols/TLS 1.0/Client' -PropertyType 'DWORD' -Name 'Enabled' -Value '0'
- New-ItemProperty -Path 'HKLM:/SYSTEM/CurrentControlSet/Control/SecurityProviders/SCHANNEL/Protocols/TLS 1.0/Client' –PropertyType 'DWORD' -Name 'DisabledByDefault' -Value '1' 


- New-Item 'HKLM:/SYSTEM/CurrentControlSet/Control/SecurityProviders/SCHANNEL/Protocols/TLS 1.1/Server' -Force
- New-ItemProperty -Path 'HKLM:/SYSTEM/CurrentControlSet/Control/SecurityProviders/SCHANNEL/Protocols/TLS 1.1/Server' –PropertyType 'DWORD' -Name 'Enabled' -Value '0' 
- New-ItemProperty -Path 'HKLM:/SYSTEM/CurrentControlSet/Control/SecurityProviders/SCHANNEL/Protocols/TLS 1.1/Server' –PropertyType 'DWORD' -Name 'DisabledByDefault' -Value '1' 

- New-Item 'HKLM:/SYSTEM/CurrentControlSet/Control/SecurityProviders/SCHANNEL/Protocols/TLS 1.1/Client' -Force
- New-ItemProperty -Path 'HKLM:/SYSTEM/CurrentControlSet/Control/SecurityProviders/SCHANNEL/Protocols/TLS 1.1/Client' -PropertyType 'DWORD' -Name 'Enabled' -Value '0'
- New-ItemProperty -Path 'HKLM:/SYSTEM/CurrentControlSet/Control/SecurityProviders/SCHANNEL/Protocols/TLS 1.1/Client' –PropertyType 'DWORD' -Name 'DisabledByDefault' -Value '1'

Before running the commands, you can see no items exist underneath Protocol.

no items were exist underneath Protocol

After running the commands you can see there are two keys created ‘TLS 1.0’ & ‘TLS 1.1’, Underneath each protocols there are ‘Client’ &’Server’ Keys inside them ther are two items ‘DisableByDefault’ & ‘Enabled’.

List of Item Created underneath Client' and Server using PowerShell Commands

Method 3 : Disable TLS 1.0 and TLS 1.1 on Windows Server using CMD

Follow this simple procedure to disable TLS 1.0 and TLS 1.1 using CMD comments.

  1. Open ‘Command Prompt’ as Administrator
Open 'Command Prompt' as Administrator on the Windows Server

2. Run the below commands to create Registry entries.

reg add "HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/SecurityProviders/SCHANNEL/Protocols/TLS 1.0/Server" /v Enabled /t REG_DWORD /d 0 /f 
reg add "HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/SecurityProviders/SCHANNEL/Protocols/TLS 1.0/Server" /v DisabledByDefault /t REG_DWORD /d 1 /f

reg add "HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/SecurityProviders/SCHANNEL/Protocols/TLS 1.0/Client" /v Enabled /t REG_DWORD /d 0 /f reg add "HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/SecurityProviders/SCHANNEL/Protocols/TLS 1.0/Client" /v DisabledByDefault /t REG_DWORD /d 1 /f


reg add "HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/SecurityProviders/SCHANNEL/Protocols/TLS 1.1/Server" /v Enabled /t REG_DWORD /d 0 /f reg add "HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/SecurityProviders/SCHANNEL/Protocols/TLS 1.1/Server" /v DisabledByDefault /t REG_DWORD /d 1 /f

reg add "HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/SecurityProviders/SCHANNEL/Protocols/TLS 1.1/Client" /v Enabled /t REG_DWORD /d 0 /f reg add "HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/SecurityProviders/SCHANNEL/Protocols/TLS 1.1/Client" /v DisabledByDefault /t REG_DWORD /d 1 /f

We hope this post will help you know how to disable TLS 1.0 and TLS 1.1 on your Windows Server as they are deprecated for their week security. Please share this post if you find this interested. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this.

原创文章,作者:ItWorker,如若转载,请注明出处:https://blog.ytso.com/290629.html

(0)
上一篇 2022年10月29日
下一篇 2022年10月29日

相关推荐

发表回复

登录后才能评论