How to Disable TLS on a Windows 2008 Server (POA)

On W2K8 R2 SP1 servers and higher, support for TLS 1.1 and TLS 1.2 are supported. To disable TLS 1.0, you need to do the following

– Disable TLS 1.0:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]

“Enabled”=dword:00000000

– Enable TLS 1.2:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]

“DisabledByDefault”=dword:00000000

– Disable old Ciphers (a verity may already be turned off)

– Reboot the server to pick up the changes.

– Use an SSL server test to verify protocols and ciphers are turned off and you receive a good rating. Example site to test your SSL is: https://www.ssllabs.com/ssltest/

– NOTE: If on W2K8 R2 SP1 server, update the RDP security to use TLS 1.2. If TLS 1.0 is disabled, you can lock yourself out of RDP access. Open Remote Desktop Session Host Configuration.

Double click on the Connection Name “RDP-Tcp” and change the setting for the Security Layer from TLS 1.0 to RDP Security Layer.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]

Related Articles