Share via
Sandro Alves 51Reputation points
Hi,
is there any tool to disable Windows TLS 1.0 and IIS?
We have web servers and we want to force it to only work with TLS 1.2.
Thanks.
Internet Information Services
Microsoft web server software.
1,657 questions
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,920 questions
Sign in to follow
0{count} votes
Sign in to comment
3 answers
Sort by: Most helpful
-
Sam Wu-MSFT 7,446Reputation points • Microsoft Vendor
2022-11-18T02:52:12.027+00:00 You can follow these steps to enable TLS 1.2 and disable 1.0:
- Enable TLS 1.2 on Windows by manually updating the registry files:
- Open registry on the server by running regedit in the run window.
- Navigate to the below location:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols. - Add the and TLS 1.2 keys under Protocols: Right-click Protocols > Select New > Key > Name the key TLS 1.2.
- Create two keys Client and Server under TLS keys.
- Create the DWORD (32-bit) values under Server and Client key as follows:
DisabledByDefault [Value = 0]andEnabled [Value = 1]- Disable TLS 1.0:
- Open registry on your server by running regedit in the run window.
- Navigate to the below location:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols. - Now change DWORD values under Server and Client under TLS 1.0:
DisabledByDefault [Value = 0]andEnabled [Value = 0]. - If TLS 1.0 entry does not exist in the registry, you can create a new key called TLS 1.0 and disable it.
- Verify that your server now supports TLS 1.2 protocol by following the below steps:
- Click the Windows button on the lower left-hand corner of your Desktop.
- Type "Internet Options" and select Internet Options from the list.
- Click on the Advanced tab and from there scroll down to the very bottom. Confirm that TLS 1.2 is checked. If it is not, please check the box adjacent to Use TLS 1.2 and then Apply.
If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Sandro Alves 51Reputation points
2022-11-18T03:28:34.287+00:00 @Sam Wu-MSFT Wu
Doubt:
Do I need to keep only TLS 1.2?
All others should I disable, including SSL, PCT and Multi?
See AlsoConfigure Server SSL/TLSSam Wu-MSFT 7,446Reputation points • Microsoft Vendor
2022-11-18T09:55:44.637+00:00 I am not familiar with iis crypto tool, but if you modify it in the registry, I suggest you disable other TLS and SSL version.
Sign in to comment
- Enable TLS 1.2 on Windows by manually updating the registry files:
-
Michael Taylor 53,726Reputation points
2022-11-17T18:15:01.777+00:00 You have to use the iiscrypto tool. Put it on the server(s) you need and run it. Then uncheck the protocols you don't want to support anymore and apply. Then reboot the server.
0 commentsNo comments
Sign in to comment
-
Rafael da Rocha 5,091Reputation points
2022-11-17T18:35:07.053+00:00 Hello @Sandro Alves ,
adding to cooldadtx answer, iiscrypto is a great tool.
But if you're doing it to multiple servers, you might want to look into deploying the settings via group policy or other more programmatic method that doesn't involve logging in to every host.
Here's the documentation on how to enable TLS1.2, and it also contains the link for how to disable other protocols:0 commentsNo comments
Sign in to comment
Sign in to answer
