TLS 1.0 to be disabled

Dominique DUCHEMIN 831 Reputation points
2021-06-30T18:31:20.753+00:00

Hello,

Our Security Team is requesting us to uncheck in IIS Crypto TLS 1.0 to make it Disabled.

"Close port 80, disable TLS 1.0, and disable MD5 hash"

Any recommendations?
TLS 1.2 is already deployed ...
Is it possible to verify that all clients are using TLS 1.2?

Thanks,
Dom

Microsoft Configuration Manager
0 comments No comments
{count} votes

4 answers

Sort by: Most helpful
  1. Philippe Levesque 5,696 Reputation points MVP
    2021-06-30T19:14:29.907+00:00

    Hi

    It's easy with IIS Crypto to disable it, else it's in the registry;

    HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS1.0\Server
    (DWORD) DisabledByDefault:=1

    IIS Crypto would do the same, so I recommend of using it.

    To disable port 80 it's your choice. I found it handy to have it open as you need port 80 if you want to do a redirect (HTTP->HTTPS) to the port 443 for HTTPS.

    Thanks

    Philippe

    1 person found this answer helpful.
    0 comments No comments

  2. Amandayou-MSFT 11,051 Reputation points
    2021-07-02T06:40:48.127+00:00

    Hi @Dominique DUCHEMIN

    We only require 1.2 to be enabled and there is no necessary to turn off 1.0 and 1.1, whether we want to close depends on the our own choice.

    Here is the article about enabling TLS 1.2 from Microsoft Learn:
    https://learn.microsoft.com/en-US/mem/configmgr/core/plan-design/security/enable-tls-1-2


    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.
    0 comments No comments

  3. Dominique DUCHEMIN 831 Reputation points
    2021-06-30T22:46:36.39+00:00

    Thanks for this,
    Should it be done for the whole environment MEMCM or only as needed?

    Thanks,
    Dom

    0 comments No comments

  4. Dominique DUCHEMIN 831 Reputation points
    2021-07-03T15:12:40.827+00:00

    Hello,

    "...there is no necessary to turn off 1.0 and 1.1...
    It is a security request due to vulnerabilities... at least for TLS 1.0 I will have no choice ....

    Thanks,
    Dom

    0 comments No comments