Disabling weak TLS Protocols from registry doesn't work (for us...)

Question

Hi,

We have tried to disable weak SSL/TLS protocols on a windows 2016 server by setting the corresonding registry keys as suggested here:
https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings#tls-10

We have created the following DWORDs:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]  
"DisabledByDefault"=dword:00000001  
"Enabled"=dword:00000000  
  
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]  
"DisabledByDefault"=dword:00000001  
"Enabled"=dword:00000000  

After a restart of the server a scan like https://www.ssllabs.com/ssltest/index.html still reports that the server supports TLS 1.0 and 1.1. We have cleared the scan cache after the change, so it shouldn't be a cached result. I also get a 200 OK response by

Invoke-WebRequest https://MyServer -SslProtocol Tls  

If I use a tool like IISCrypto it reports that the protocols are disabled.

Any ideas regarding why these protocols are not being disabled by the registry keys above are very welcome!

Answer 1

It turned out to be a load balancer in front of the server I was hitting. Silly me.

Answer 2

You really should disable client and server

https://techcommunity.microsoft.com/t5/exchange-team-blog/exchange-server-tls-guidance-part-3-turning-off-tls-1-0-1-1/ba-p/607898

Answer 3

Hi,

I've witnessed many auditing software that are not reporting these correctly, If I remember right Qualys was one of them.

The Windows registry never lies, and is the best place to check the correct values. I believe IISCrypto checks the Windows registry values as well and I've used IISCrypto for many customers without ever having any issues.

Do note that you have to modify the registry keys for both Server and Client.

Best regards,
Leon