Cracking SSL-encrypted communications has become easy, if not trivial, for a motivated attacker. In July 2016, the de facto standard for encrypting traffic on the web should be via TLS 1.2. In this post, you will learn how to disable SSL in Windows Server 2016, Windows 2012 R2, and Windows Server 2008 R2.

It would probably surprise you to learn that TLS 1.2 was first defined in 2008, with TLS 1.0 taking over from SSL 3.0 in the late ’90s. SSL 3.0 is now vulnerable to the much publicized POODLE attack, and SSL 2.0 to the DROWN attack as well as the FREAK attack.

It may surprise you even further to learn that most Windows Server 2008 R2 Servers will happily accept SSL 2.0 and SSL 3.0 in addition to TLS 1.0 out of the box, and that they WILL NOT support TLS 1.1 or 1.2 without the administrator specifically enabling it.

A recent test I performed on Windows Server 2016 TP5 shows that still today a default install will support SSL 3.0. However, all is certainly not lost, and our quest for better-secured servers can be helped drastically by setting just a few registry keys. I prefer to use PowerShell for this type of repetitive task.

To disable SSL 2.0 and SSL 3.0, simply paste the following into an elevated PowerShell window:

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -Force
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -name Enabled -value 0 –PropertyType DWORD
Disable SSL 2.0

Disable SSL 2.0

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -Force
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -name Enabled -value 0 –PropertyType DWORD
Disable SSL 3.0

Disable SSL 3.0

You should then enable TLS 1.1 and TLS 1.2:

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -Force
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -Force
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'Enabled' -value '0xffffffff' –PropertyType DWORD
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'DisabledByDefault' -value 0 –PropertyType DWORD
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'Enabled' -value 1 –PropertyType DWORD
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'DisabledByDefault' -value 0 –PropertyType DWORD
Enable TLS 1-1 1-2

Enable TLS 1-1 1-2

Then, simply reboot your server and bask in the glory of a job well done!

Additionally, you can disable the RC4 Cipher, which will assist with preventing a BEAST attack. You need to consider the effect of disabling TLS 1.0 before you go ahead and do that, though, as a lot of older software requires patching to support it—specifically SQL Server 2008 R2, which is used in SBS 2011. Exchange 2010 and 2013 require patching to support TLS 1.2, and some applications will simply not function at all without it.

There are some very useful resources to assist with this type of configuration. IISCRYPTO is one of the most well-known: it’s a GUI-based tool to take care of these changes, mentioned here in regard to the FREAK attack. I have also used this tool, which takes care of similar tasks but works in PowerShell.

Subscribe to 4sysops newsletter!

I have written more about SBS 2011 Standard and PCI Compliance here, and Windows Server Essentials here.

  1. KassOggie 7 years ago

    You enabled TLS 1.1 twice and not 1.2. Copy/paste error.

  2. KassOggie 7 years ago

    Oh sorry, my mistake.

  3. David Homer 6 years ago

    Hi, we are looking at reading these values for server documentation however there doesn’t seem to be any consistency between operating systems on the DisabledByDefault and Enabled registry keys.]

    On Windows 2008 R2 for example TLS 1.0

    DisabledByDefault = 0

    Enabled = 0

    The protocol is disabled (as you might expect)

    On Windows 2012 for example TLS 1.0

    DisabledByDefault = 0

    Enabled = 0

    The protocol is enabled (it appears that the enabled value is ignored)

    • MW 5 years ago

      Did you ever get a resolution to this???

  4. David Homer 6 years ago

    ** Server 2012 R2 sorry

Leave a reply

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account