Disable SSL in Windows Server 2016 with PowerShell

• Author
• Recent Posts

Robert Pearman

Robert is a small business specialist from the UK and currently works as a system administrator. He was a Microsoft MVP for eight years and has worked as a technical reviewer for Microsoft Press. You can follow Robert on Twitter and in his blog.

Latest posts by Robert Pearman (see all)

• Run Exchange Online commands using Azure Automation - Tue, Jul 25 2023
• Connect to Exchange Online with PowerShell and certificate-based authentication - Wed, Jul 19 2023
• Office Deployment Tool (ODT): Deploy Office using custom XML files - Thu, Mar 30 2023

It would probably surprise you to learn that TLS 1.2 was first defined in 2008, with TLS 1.0 taking over from SSL 3.0 in the late ’90s. SSL 3.0 is now vulnerable to the much publicized POODLE attack, and SSL 2.0 to the DROWN attack as well as the FREAK attack.

It may surprise you even further to learn that most Windows Server 2008 R2 Servers will happily accept SSL 2.0 and SSL 3.0 in addition to TLS 1.0 out of the box, and that they WILL NOT support TLS 1.1 or 1.2 without the administrator specifically enabling it.

A recent test I performed on Windows Server 2016 TP5 shows that still today a default install will support SSL 3.0. However, all is certainly not lost, and our quest for better-secured servers can be helped drastically by setting just a few registry keys. I prefer to use PowerShell for this type of repetitive task.

To disable SSL 2.0 and SSL 3.0, simply paste the following into an elevated PowerShell window:

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -Force
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -name Enabled -value 0 –PropertyType DWORD

Disable SSL 2.0

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -Force
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -name Enabled -value 0 –PropertyType DWORD

Disable SSL 3.0

You should then enable TLS 1.1 and TLS 1.2:

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -Force
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -Force
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'Enabled' -value '0xffffffff' –PropertyType DWORD
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'DisabledByDefault' -value 0 –PropertyType DWORD
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'Enabled' -value 1 –PropertyType DWORD
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'DisabledByDefault' -value 0 –PropertyType DWORD

Enable TLS 1-1 1-2

Then, simply reboot your server and bask in the glory of a job well done!

Additionally, you can disable the RC4 Cipher, which will assist with preventing a BEAST attack. You need to consider the effect of disabling TLS 1.0 before you go ahead and do that, though, as a lot of older software requires patching to support it—specifically SQL Server 2008 R2, which is used in SBS 2011. Exchange 2010 and 2013 require patching to support TLS 1.2, and some applications will simply not function at all without it.

There are some very useful resources to assist with this type of configuration. IISCRYPTO is one of the most well-known: it’s a GUI-based tool to take care of these changes, mentioned here in regard to the FREAK attack. I have also used this tool, which takes care of similar tasks but works in PowerShell.

I have written more about SBS 2011 Standard and PCI Compliance here, and Windows Server Essentials here.