This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(83.2, 31%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET5%3C/text%3E%3C/svg%3E)
Our Windows 2019 Version 1809 (OS Build 17763.53.29) RRAS VPN servers are still accepting requests over TLS 1.0 & 1.1, even after applying the following changes this week. Can someone please shed some light on what could be the reason behind this? Please refer to the screenshot attached to this post, where you will see how we have created the registry entries to disable TLS 1.0 & 1.1.
Step 1: Navigate to
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols". Create a key named "TLS 1.1" with two DWORDs for both TLS 1.0 & 1.1: "DisabledByDefault=1" & "Enabled=0". Similarly, create a key named "TLS 1.0" with two DWORDs for each protocol, "DisabledByDefault=1" & "Enabled=0".
Step 2: Execute the commands
Disable-TlsCipherSuite -Name "TLS_RSA_WITH_AES_128_CBC_SHA" and Disable-TlsCipherSuite -Name "TLS_RSA_WITH_AES_256_CBC_SHA".
Reference: Microsoft Docs on TLS Registry Settings
After completing the change request (CR), when I check to see if TLS 1.0 & 1.1 are still enabled, it appears that they are.
Hi OP :)
I always use this simple tool, that is tried and true:
https://www.nartac.com/Products/IISCrypto/ Nartac has been making it free and has helped me secure many services and get good scores on SSL Labs.
Highly recommend
/Michael
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 80%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETB%3C/text%3E%3C/svg%3E)
I invite you to read this article :
How to Disable TLS 1.0 and TLS 1.1 in Windows Using GPO
---Please don't forget to accept helpful answer
, Last time also I followed the same approach similar to your suggestion and it didn't work for me. This occasion I tried your suggestion using IIS Crypto 3.3 tool to apply the settings (refer the screenshot below) still server hello works on TLS 1.0 (refer the screenshot below)
FYI - I have not enabled system encryption protocols for .Net 3.5 and 2.0 and I am not sure if this should be added. Also, I verified the Internet settings there TLS 1.0 & 1.1 is unchecked.
Just checking.. but you did reboot after making the changes right? (I know you did, but had to check!).
Also:
I found this info in this good thread:
https://serverfault.com/questions/795562/tls-1-0-still-being-used-in-iis-after-its-been-disabled
Yes, I did reboot the server but no luck. In the serverfault link you shared has an important point mentioned by Dwayne Driskill which is disabling weaker TLS on AWS elastic load balancer where I should also run a check.