IIS Security SSL TLS Windows OS schannel protocol settings

Posted on June 26, 2018 by Robert.Gabos

Here is a collection of IIS Security related documents related to the SSL TLS updates in Windows.

The settings below will enforce TLS 1.1 and 1.2 for Windows Server 2008 SP2 all the way till Win10 and Server 2016

It will change the default behaviour for versions older then Windows 10.

The new changes are presented in this chart.

Windows OS

SSLv2

SSLv3

TLS 1.0

TLS 1.1

TLS 1.2
Windows Server 2008

Disabled

Disabled

Disabled

Enabled

Enabled
Windows 7 (WS2008 R2)

Disabled

Disabled

Disabled

Enabled

Enabled
Windows 8 (WS2012)

Disabled

Disabled

Disabled

Enabled

Enabled
Windows 8.1 (WS2012 R2)

Disabled

Disabled

Disabled

Enabled

Enabled
Windows 10

Disabled

Disabled

Disabled

Enabled

Enabled
Windows Server 2016

Not Supported

Disabled

Disabled

Enabled

Enabled

The PowerShell cmdlet to use in this case for working with the Registry keys is New-ItemProperty

# enable TLS 1.2 for client and server

md “HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2”

md “HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server”

md “HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client”

new-itemproperty -path “HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server” -name “Enabled” -value 1 -PropertyType “DWord”

new-itemproperty -path “HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server” -name “DisabledByDefault” -value 0 -PropertyType “DWord”

new-itemproperty -path “HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client” -name “Enabled” -value 1 -PropertyType “DWord”

new-itemproperty -path “HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client” -name “DisabledByDefault” -value 0 -PropertyType “DWord”

# enable TLS 1.1 for client and server

md “HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1”

md “HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server”

md “HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client”

new-itemproperty -path “HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server” -name “Enabled” -value 1 -PropertyType “DWord”

new-itemproperty -path “HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server” -name “DisabledByDefault” -value 0 -PropertyType “DWord”

new-itemproperty -path “HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client” -name “Enabled” -value 1 -PropertyType “DWord”

new-itemproperty -path “HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client” -name “DisabledByDefault” -value 0 -PropertyType “DWord”

# disable TLS 1.0 for client and server

md “HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0”

md “HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server”

md “HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client”

new-itemproperty -path “HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server” -name “Enabled” -value 0 -PropertyType “DWord”

new-itemproperty -path “HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server” -name “DisabledByDefault” -value 0 -PropertyType “DWord”

new-itemproperty -path “HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client” -name “Enabled” -value 0 -PropertyType “DWord”

new-itemproperty -path “HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client” -name “DisabledByDefault” -value 0 -PropertyType “DWord”

# disable SSL 3.0

md “HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0”

md “HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server”

md “HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client”

new-itemproperty -path “HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server” -name Enabled -value 0 -PropertyType “DWord”

new-itemproperty -path “HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client” -name Enabled -value 0 -PropertyType “DWord”

# disable SSL 2.0

md “HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server”

md “HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client”

new-itemproperty -path “HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server” -name Enabled -value 0 -PropertyType “DWord”

new-itemproperty -path “HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client” -name Enabled -value 0 -PropertyType “DWord”

Before enforcing the settings via the Registry keys, the default settings are shown in these tables.

Windows OS

SSLv2

SSLv3

TLS 1.0

TLS 1.1

TLS 1.2
Windows Vista

Enabled

Enabled

Default

Not Supported

Not Supported
Windows Server 2008

Enabled

Enabled

Default

Disabled

Disabled
Windows 7 (WS2008 R2)

Enabled

Enabled

Default

Disabled

Disabled
Windows 8 (WS2012)

Disabled

Enabled

Enabled

Enabled

Default
Windows 8.1 (WS2012 R2)

Disabled

Enabled

Enabled

Enabled

Default
Windows 10

Disabled

Enabled

Enabled

Enabled

Default
Windows Server 2016

Not Supported

Disabled

Enabled

Enabled

Default
TLS 1.0 Client TLS 1.0 Server TLS 1.1 Client TLS 1.1 Server TLS 1.2 Client TLS 1.2 Server
Windows Vista/Windows Server 2008 Enabled Enabled Not supported Not supported Not supported Not supported
Windows Server 2008 with Service Pack 2 (SP2) Enabled Enabled Disabled Disabled Disabled Disabled
Windows 7/Windows Server 2008 R2 Enabled Enabled Disabled Disabled Disabled Disabled
Windows 8/Windows Server 2012 Enabled Enabled Enabled Enabled Enabled Enabled
Windows 8.1/Windows Server 2012 R2 Enabled Enabled Enabled Enabled Enabled Enabled
Windows 10, version 1507 Enabled Enabled Enabled Enabled Enabled Enabled
Windows 10, version 1511 Enabled Enabled Enabled Enabled Enabled Enabled
Windows 10, version 1607/Windows Server 2016 Standard Enabled Enabled Enabled Enabled Enabled Enabled
Windows 10, version 1703 Enabled Enabled Enabled Enabled Enabled Enabled
Windows OS PCT 1.0 SSL2 Client SSL2 Server SSL3 Client SSL3 Server
Windows Vista/Windows Server 2008 Not supported Disabled Enabled Enabled Enabled
Windows Server 2008 with SP2 Not supported Disabled Enabled Enabled Enabled
Windows 7/Windows Server 2008 R2 Not supported Disabled Enabled Enabled Enabled
Windows 8/Windows Server 2012 Not supported Disabled Disabled Enabled Enabled
Windows 8.1/Windows Server 2012 R2 Not supported Disabled Disabled Enabled Enabled
Windows 10, version 1507 Not supported Disabled Disabled Enabled Enabled
Windows 10, version 1511 Not supported Disabled Disabled Enabled Enabled
Windows 10, version 1607/Windows Server 2016 Standard Not supported Not supported Not supported Disabled Disabled
Windows 10, version 1703 Not supported Not supported Not supported Disabled Disabled

For older versions of Windows these updates need to be installed.

For Windows 7, Windows Server 2008 R2
https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-a-default-secure-protocols-in

For Windows Server 2008 SP2
https://support.microsoft.com/en-us/help/4019276/update-to-add-support-for-tls-1-1-and-tls-1-2-in-windows

Update install files for Win2008SP2
http://www.catalog.update.microsoft.com/Search.aspx?q=KB4019276

Update install files for Win7 and 2008R2
http://catalog.update.microsoft.com/v7/site/search.aspx?q=kb3140245

A good best practice article from the Exchange server team shows examples of TLS settings, https://blogs.technet.microsoft.com/exchange/2015/07/27/exchange-tls-ssl-best-practices/

Also a big change for Office 365 later this year will be related to TLS 1.2

Preparing for the mandatory use of TLS 1.2 in Office 365
https://support.microsoft.com/en-ca/help/4057306/preparing-for-tls-1-2-in-office-365

For logging this exact information in IIS servers. The best way I found so far is via this new option using the Custom logging field.

https://docs.microsoft.com/en-us/iis/configuration/system.applicationhost/sites/site/logfile/customfields/

New IIS functionality to help identify weak TLS usage
https://cloudblogs.microsoft.com/microsoftsecure/2017/09/07/new-iis-functionality-to-help-identify-weak-tls-usage/

** As a best practice it has been suggested to disable SSL 3.0 on client systems first, to gauge usage and report compatibility problems before making the same changes on the servers.

Using Internet Explorer, there are Group Policy settings available to push these type of security compliance settings out to clients.

Tools that can be used to built templates are Microsoft Security Compliance Manager and the Security Compliance Toolkit

  • Microsoft KB reference articles

How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll
https://support.microsoft.com/en-ca/help/245030/how-to-restrict-the-use-of-certain-cryptographic-algorithms-and-protoc

Protocols in TLS/SSL (Schannel SSP)
https://msdn.microsoft.com/library/windows/desktop/mt808159.aspx

Transport Layer Security (TLS) registry settings
https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings

TLS/SSL Settings
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn786418(v=ws.11)

TLS 1.2 support at Microsoft
https://cloudblogs.microsoft.com/microsoftsecure/2017/06/20/tls-1-2-support-at-microsoft/

Exchange TLS & SSL Best Practices
https://blogs.technet.microsoft.com/exchange/2015/07/27/exchange-tls-ssl-best-practices/

  • Related Online Resources

IIS Cipher Suites and TLS Configuration
https://gist.github.com/jasonnemesis/ecd2071ec97d7ef4b4f5435633ff2671#file-iis_cipher_suites_and_tls_config-md

Setup your IIS for SSL Perfect Forward Secrecy and TLS 1.2
https://gist.github.com/matejskubic/10268126

 Latest content available on OneNote


Advertisement

About Robert.Gabos

https://www.linkedin.com/in/RobertGabos
This entry was posted in Microsoft, Windows Server and tagged , , , , , , , , , . Bookmark the permalink.

Leave a Reply

Please log in using one of these methods to post your comment:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s