How To Check Tls Version In Windows Server 2012 R2

Y'all are here: Home / How To / How to Enable TLS 1.two every bit the Default Security Protocol on Windows Servers

Transport Layer Security (TLS) are cryptographic protocols designed to provide communications security over a estimator network, typically between a website and a browser.

TLS i.0 and its deprecated predecessor, SSL are vulnerable to some well-known security issues such as POODLE and BEAST attacks. According to NIST, these vulnerabilities cannot be stock-still or patched, therefore all companies, particularly banks and other fiscal institutions who are notoriously boring in upgrading theirs systems, need to upgrade to a secure alternative every bit presently equally possible, and disable whatever fallback to both SSL and the older TLS 1.0.

As of 30 June 2018, SSL and TLS ane.0 should exist disabled and more secure encryption protocol such as TLS 1.2 (or at the minimum TLS i.1) is required to come across the PCI Data Security Standard (PCI DSS) for safeguarding payment data.

The next question then how on practice we enable TLS 1.2 on Windows Servers? Specially on older servers such as Windows Server 2008 as many companies are not on the latest and greatest operating systems?

This post will address what to look for and how to enable TLS 1.2 as the default protocol for Windows Server 2012 R2 or older.

IMPORTANT: As e'er and it's worth repeating, you need to fill-in your current registry settings before attempting any of these changes on your servers.

Enable TLS one.two on Windows Servers 2008 SP2 or later

The blanket statement to enable your TLS 1.2 on your server from Windows Server 2008 SP2 or later. Microsoft provided an update to add back up for TLS one.1 and TLS 1.2 for Windows Server 2008, but it requires Windows Server 2008 SP2 installed.

And then only to state the obvious, TLS 1.one and TLS 1.2 are non supported for 32-scrap Windows Server 2008 SP1.

1. Launch regedit.exe.

2. In registry, go to:

                   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols              

3. Create a new DWORD entry with a name TLS one.ii and create some other subkey Client and Server.

4. Under the subkey Server, create another DWORD Enabled with a value of 1.

5. Still nether the subkey Server, create a DWORD DisabledByDefault with a value of 0.

6. You must create a subkey DisabledByDefault entry in the advisable subkey (Client, Server) and set the DWORD value to 0 since this entry is set to 1 by default.

   

7. Reboot the server and test.

Enable TLS one.two on .Cyberspace Framework 3.5 (including 2.0)

.Net Framework 3.5 or earlier did not originally provide back up of applications to use TLS System Default Versions as a cryptographic protocol. However, for Windows Server 2012 R2, check if KB3154520 is installed (or KB3154519 for Windows Server 2012; KB3154518 for Windows Server 2008 R2; KB3154517 for Windows Server 2008 SP2).

How to check the KB updates

1. Right-click on the Windows button and select Programs and Features.

   

2. On Programs and Features window, click onthe View installed updates on the left pane.

   

3. You volition see a list of the updates that you tin can narrow downwards or do a very specific search past using the Search Installed Updates box. You tin can type in the KB number (i.due east., "KB3154520").

   

4. If the corresponding KB is already installed, we just need to enable information technology via registry modify. Otherwise, you lot need to install the patch from either of the links for Windows Server 2012 R2 (or use the same corresponding links above for earlier versions of Windows Server).

Registry Alter

1. Launch regedit.exe.

2. Go to:

                   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727              

3. Create a new entry SystemDefaultTlsVersions with a DWORD value set to 1.

4. Create a new entry SchUseStrongCrypto with a DWORD value prepare to one.

5. Go to:

                   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319              

6. Create a new entry SystemDefaultTlsVersions with a DWORD value set to 1.

7. Create a new entry SchUseStrongCrypto with a DWORD value fix to 1.

8. For 64-bit Bone, the same changes too needed for the following locations:

                   HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727              

9. Create a new entry SystemDefaultTlsVersions with a DWORD value set to i.

10. Create a new entry SchUseStrongCrypto with a DWORD value set to 1.

11. Go to:

                    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319              

12. Create a new entry SystemDefaultTlsVersions with a DWORD value set to 1.

13. Create a new entry SchUseStrongCrypto with a DWORD value gear up to 1.

14. Test.

Enable TLS 1.2 as default for WinHTTP

This may exist applicable for any Classic ASP or VB6 applications that use WinHTTP. Prior to Windows ten and Windows Server 2016, TLS i.i or 1.2 is non enabled by default for customer-server communications through WinHTTP.

To set TLS i.ii by default, do the following:

1. Create a registry entry DefaultSecureProtocols on the following location:

                   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp              

2. Fix the DWORD value to 800 for TLS 1.ii.

3. For 64-fleck Os, repeat step ane and two on the following location:

                   HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Cyberspace Settings\WinHttp              

4. Reboot the server and test.

Windows 10 and Windows Server 2016/2019 support TLS 1.ii for client-server communications by using WinHTTP.

Purchase me a coffee?

If you notice this post helpful and would like to purchase me a java to support the work here, you'll have our large thanks!
Support It Nota: Buy Me a Coffee

Further Reading

Update to enable TLS 1.1 and TLS 1.2 as default secure protocols in WinHTTP in Windows
TLS/SSL Settings
How to enable TLS one.2 for Configuration Director
Transport Layer Security (TLS) best practices with the .NET Framework
Support for TLS System Default Versions included in the .NET Framework 2.0 SP2 on Windows Vista SP2 and Server 2008 SP2
Back up for TLS Arrangement Default Versions included in the .NET Framework 3.5.1 on Windows 7 SP1 and Server 2008 R2 SP1
Support for TLS System Default Versions included in the .NET Framework 3.5 on Windows Server 2012
Back up for TLS System Default Versions included in the .NET Framework 3.v on Windows eight.ane and Windows Server 2012 R2
How to enable TLS ane.ii on the site servers and remote site systems
Use Case Scenario: Known problems connecting SSRS Server 2016 (new) to SQL Server 2008 (one-time) with TLS

Download

Solving the TLS ane.0 Trouble (MS Give-and-take document)

Source: https://www.itnota.com/enabling-tls-1-2-default-security-protocol-windows-servers/

Posted by: berglundbethis.blogspot.com

Share this post