How to disable protocols

Teemo Tang 11,331 Reputation points
2020-07-15T06:54:25.65+00:00

Hi experts

How to disable TLS 1.0, SSL 2.0 & SSL 3.0, i have checked from IISCrypto and i can see that its disabled but still
i get alerts that its enabled. when i look into registries for the below 3 i can see the below information in the screenshot.
Do i need to remove the entry DisabledByDefault

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS1.0\Server
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server
12308-1591851.jpg
server has been rebooted , when i open internet explorer-internet options-advanced i can see for TLS 1.0 check marked, or is there any other way to check from remote server that tls 1.0 , ssl is disabled on this server, may be it can see issue with the alerting tool

source link: https://social.technet.microsoft.com/Forums/windows/en-US/acd08334-c388-4fc6-951c-8c0ec7ce0b11/how-to-disable-protocols?forum=ws2016

Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,368 questions
0 comments
Accepted answer
  1. Jenny Feng 14,146 Reputation points
    2020-07-15T07:31:43.82+00:00

    Welcome to our new Microsoft Q&A Platform.

    Based on your description, we could knew that you've only created the subkey named Server under the Registry key Protocols. It controls the the use of TLS 1.0 Protocol on the TLS server, which means when you configure to disable it, the other machine cannot access this machine through TLS 1.0 Protocol. But not making this computer don't have access to the other computers through the TLS 1.0 protocol.

    If you don't want this machine have access to other machine through TLS 1.0 protocol. You could create a subkey named Client under the Registry key named Protocols (Registry path: HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols).

    To enable the TLS 1.0 protocol, create an Enabled entry in either the Client subkey. This entry does not exist in the registry by default. After you have created the entry, change the DWORD value to 1. To disable TLS 1.0 for Client, change the DWORD value to 0. If an SSPI app requests to use TLS 1.0, it will be denied. To disable TLS 1.0 by default, create a DisabledByDefault entry and change the DWORD value to 1. If an SSPI app explicitly requests to use TLS 1.0, it may be negotiated.

    Also providing you some articles for you to refer:
    Transport Layer Security (TLS) registry settings: https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings#tls-10
    How to disable TLS 1.0 in Windows 10: https://windowsreport.com/how-to-disable-tls-1-0/

    Hopefully those things above will help you.

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest