TLS 1.0 to be disabled

Question

Hello,

Our Security Team is requesting us to uncheck in IIS Crypto TLS 1.0 to make it Disabled.

"Close port 80, disable TLS 1.0, and disable MD5 hash"

Any recommendations?
TLS 1.2 is already deployed ...
Is it possible to verify that all clients are using TLS 1.2?

Thanks,
Dom

Answer

Hi

It's easy with IIS Crypto to disable it, else it's in the registry;

HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS1.0\Server
(DWORD) DisabledByDefault:=1

IIS Crypto would do the same, so I recommend of using it.

To disable port 80 it's your choice. I found it handy to have it open as you need port 80 if you want to do a redirect (HTTP->HTTPS) to the port 443 for HTTPS.

Thanks

Philippe

Answer

Hi @Dominique DUCHEMIN ，

We only require 1.2 to be enabled and there is no necessary to turn off 1.0 and 1.1, whether we want to close depends on the our own choice.

Here is the article about enabling TLS 1.2 from Microsoft Learn:
https://learn.microsoft.com/en-US/mem/configmgr/core/plan-design/security/enable-tls-1-2

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer

Thanks for this,
Should it be done for the whole environment MEMCM or only as needed?

Thanks,
Dom

Answer

Hello,

"...there is no necessary to turn off 1.0 and 1.1...
It is a security request due to vulnerabilities... at least for TLS 1.0 I will have no choice ....

Thanks,
Dom

TLS 1.0 to be disabled

4 answers