How to disable TLS1.0/1.1 protocols and weak ciphers ?

MbaMgh 21 Reputation points
2022-03-07T19:03:38.467+00:00

Hello,

Hope all of you are doing well!

I'm running a Windows server 2008 R2, SP1. Per my company security policy, I disable TLS1.0/TLS1.1 and enable only TLS1.2.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

But, even after disabling TLS1.0/TLS1.1 protocols, the vulnerability rapport (by Nexpose) still shows me these messages after a rescan on the server:

"TLS Server Supports TLS version 1.0" (details : Successfully connected over TLSv1.0 with recommendation : Configure the server to require clients to use TLS version 1.2 using Authenticated Encryption with Associated Data (AEAD) capable ciphers.")

"TLS Server Supports TLS version 1.1"(details : Successfully connected over TLSv1.0 with recommendation : Configure the server to require clients to use TLS version 1.2 using Authenticated Encryption with Associated Data (AEAD) capable ciphers.")

"TLS/SSL Server Supports The Use of Static Key Ciphers"(details : Negotiated with the following insecure cipher suites: TLS 1.0 ciphers: with recommendation : Configure the server to disable support for static key cipher suites.)

It seems the change didn't get effect since i get the same vulnerability message about the use of TLSv1.0&TLSv1.1

Could someone please explain to me why even after disabling TLS1.0/1.1 protocols from the registry key, it still showing the same vulnerability ?

There are any others change to perform to disable TLS1.0/1.1 protocols or weak Key Ciphers ?

Thank you,

Stay safe !!

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,240 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,737 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Vadims Podāns 9,111 Reputation points MVP
    2022-03-14T15:15:41.767+00:00

    FileZilla doesn't use SChannel. Right now, everything that runs on top of SChannel will refuse TLS 1.0 and TLS 1.1 connections, but 3rd party tools may use whatever they are configured with and they must be configured separately, or contact vendor support for additional assistance. In this forum, we discuss only Microsoft products.

    0 comments No comments