Disable TLS 1.0 & 1.1 Windows Server 2019

Question

Disable TLS 1.0 & 1.1 Windows Server 2019

tnch57-5060 1

Our Windows 2019 Version 1809 (OS Build 17763.53.29) RRAS VPN servers are still accepting requests over TLS 1.0 & 1.1, even after applying the following changes this week. Can someone please shed some light on what could be the reason behind this? Please refer to the screenshot attached to this post, where you will see how we have created the registry entries to disable TLS 1.0 & 1.1. Step 1: Navigate to "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols". Create a key named "TLS 1.1" with two DWORDs for both TLS 1.0 & 1.1: "DisabledByDefault=1" & "Enabled=0". Similarly, create a key named "TLS 1.0" with two DWORDs for each protocol, "DisabledByDefault=1" & "Enabled=0". Step 2: Execute the commands Disable-TlsCipherSuite -Name "TLS_RSA_WITH_AES_128_CBC_SHA" and Disable-TlsCipherSuite -Name "TLS_RSA_WITH_AES_256_CBC_SHA". Reference: Microsoft Docs on TLS Registry Settings After completing the change request (CR), when I check to see if TLS 1.0 & 1.1 are still enabled, it appears that they are. User's image

Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

3 answers

Your answer

Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Answer 1

Deleted

This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Comments have been turned off. Learn more

Answer 2

Michael Mardahl 0 MVP

Just checking.. but you did reboot after making the changes right? (I know you did, but had to check!).

Also:

Try with disabled FIPS
https://knowledge.insourcess.com/Supporting_Technologies/Operating_System/Tech_Notes/TN_-_1023_How_to_Disable_the_FIPS_Compliant_Algorithm_Group_Policy_Setting
Verify you dont have another network device in front, like a load balancer or reverseProxy that is intercepting the traffic.

I found this info in this good thread:
https://serverfault.com/questions/795562/tls-1-0-still-being-used-in-iis-after-its-been-disabled

tnch57-5060 1 Reputation point

2024-02-11T17:15:16.85+00:00

Yes, I did reboot the server but no luck. In the serverfault link you shared has an important point mentioned by Dwayne Driskill which is disabling weaker TLS on AWS elastic load balancer where I should also run a check.

Answer 3

Thameur-BOURBITA 36,261 Moderator

Hi @Suriya, Sujithkumar

I invite you to read this article :

How to Disable TLS 1.0 and TLS 1.1 in Windows Using GPO

---Please don't forget to accept helpful answer

tnch57-5060 1 Reputation point

2024-02-11T12:58:38.99+00:00

, Last time also I followed the same approach similar to your suggestion and it didn't work for me. This occasion I tried your suggestion using IIS Crypto 3.3 tool to apply the settings (refer the screenshot below) still server hello works on TLS 1.0 (refer the screenshot below)

FYI - I have not enabled system encryption protocols for .Net 3.5 and 2.0 and I am not sure if this should be added. Also, I verified the Internet settings there TLS 1.0 & 1.1 is unchecked.

Share via

Disable TLS 1.0 & 1.1 Windows Server 2019

3 answers

Your answer