Silvio Di Benedetto - [Updated] - Disable legacy TLS and SSL in Windows Server

As you probably know, the PCI Council into one of their Data Security Standard (DSS) has banned all the legacy security protocol about HTTPS, like:

TLS 1.0
TLS 1.1
SSL 2.0
SSL 3.0

Well TLS 1.0 and 1.1 was largely based on SSLv3. But these protocols are out-of-date that do not support modern cryptographic algorithms, and they contain security vulnerabilities that may be exploited by attackers.

For the end users this means nothing, but for the IT admins this means pay attention because security is critical…but this depends by Operating System where your web/application servers are installed and what kind of services they need. By default TLS 1.2, the supported protocol, is present and enabled into all new Windows and Linux distros.

Before starts with all the enthusiasm of the world, consider some aspects about communications. First of all, if you disable TLS 1.0 and 1.1 for Client side, your machine will be never able to communicate with external servers that don’t support TLS 1.2. Maybe you can consider to disable only the Server protocols before generate a disaster.

The only best practice that you must follow is disable the legacy protocols to avoid security issues. In Windows Server is very easy disable these protocols with this code.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client] “DisabledByDefault”=dword:00000001
“Enabled”=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server] “DisabledByDefault”=dword:00000001
“Enabled”=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client] “DisabledByDefault”=dword:00000001
“Enabled”=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server] “DisabledByDefault”=dword:00000001
“Enabled”=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client] “DisabledByDefault”=dword:00000001
“Enabled”=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server] “DisabledByDefault”=dword:00000001
“Enabled”=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client] “DisabledByDefault”=dword:00000001
“Enabled”=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server] “DisabledByDefault”=dword:00000001
“Enabled”=dword:00000000

Save the file as .reg and run it into your web/application server and restart the computer to apply modify. Just in case, the oldest OS may require to install the latest updates (remember that Windows Server 2008 R2 that is not more supported).

Impact on Production Environment

What happen if you disable TLS on your server? Depends if you disable the inbound or the outbound, because the inbound traffic should be disabled for legacy protocol, unless your web server provides public services like WebServices based on TLS 1.0 or TLS 1.1.

For outbound traffic is more or less the same, because if your web server need to communicate with public services, like Azure SQL Server or Azure Storage, the “problem” must be moved to developers because is only necessary change the code to use new protocol.

Office 365

Don’t forget that Microsoft has announced, starting 13th October, the retirement of TLS 1.0 and 1.1 in Office 365, to be replaced with Transport Layer Security (TLS) 1.2+ to provide best-in-class encryption, and to ensure our service is more secure by default.