Share via

How to disable in OS and IIS from TLS and SSL 1.0?

Sandro Alves 51 Reputation points
2022-11-17T16:13:02.21+00:00

Hi,

is there any tool to disable Windows TLS 1.0 and IIS?

We have web servers and we want to force it to only work with TLS 1.2.

Thanks.

Windows development | Internet Information Services
Windows for business | Windows Server | User experience | Other
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sam Wu-MSFT 7,561 Reputation points Microsoft External Staff
    2022-11-18T02:52:12.027+00:00

    @Sandro Alves

    You can follow these steps to enable TLS 1.2 and disable 1.0:

    • Enable TLS 1.2 on Windows by manually updating the registry files:
      1. Open registry on the server by running regedit in the run window.
      2. Navigate to the below location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols.
      3. Add the and TLS 1.2 keys under Protocols: Right-click Protocols > Select New > Key > Name the key TLS 1.2.
      4. Create two keys Client and Server under TLS keys.
      5. Create the DWORD (32-bit) values under Server and Client key as follows: DisabledByDefault [Value = 0] and Enabled [Value = 1]
        • Disable TLS 1.0:
      6. Open registry on your server by running regedit in the run window.
      7. Navigate to the below location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols.
      8. Now change DWORD values under Server and Client under TLS 1.0: DisabledByDefault [Value = 0] and Enabled [Value = 0].
      9. If TLS 1.0 entry does not exist in the registry, you can create a new key called TLS 1.0 and disable it.
        • Verify that your server now supports TLS 1.2 protocol by following the below steps:
      10. Click the Windows button on the lower left-hand corner of your Desktop.
      11. Type "Internet Options" and select Internet Options from the list.
      12. Click on the Advanced tab and from there scroll down to the very bottom. Confirm that TLS 1.2 is checked. If it is not, please check the box adjacent to Use TLS 1.2 and then Apply.

    261599-2.png

    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    6 people found this answer helpful.
  2. Michael Taylor 60,326 Reputation points
    2022-11-17T18:15:01.777+00:00

    You have to use the iiscrypto tool. Put it on the server(s) you need and run it. Then uncheck the protocols you don't want to support anymore and apply. Then reboot the server.

    1 person found this answer helpful.
    0 comments
  3. Rafael da Rocha 5,251 Reputation points
    2022-11-17T18:35:07.053+00:00

    Hello @Sandro Alves ,
    adding to cooldadtx answer, iiscrypto is a great tool.
    But if you're doing it to multiple servers, you might want to look into deploying the settings via group policy or other more programmatic method that doesn't involve logging in to every host.
    Here's the documentation on how to enable TLS1.2, and it also contains the link for how to disable other protocols:

    Enable TLS 1.2 on servers

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.