TLS1.0 missing from Windows 2008 protocols

windows-server-2008 windows-server-2008-r2

I have two Windows Server 2008 R2 machines that came back with a weak cipher vulnerability for TLS1_RSA_DES_192_CBC3_SHA. I wanted to see if it were possible to just disable TLS 1.0 as the same report came back that anything under 1.2 was considered vulnerable. However, when I started to drill down the registry I found under SCHANNEL\Protocols only SSL 2.0 and SSL 3.0, both of which area already disabled.

This KBA indicates I should see TLS 1.0 given the OS version I'm running. Having not run into this scenario before, what are my options to disable this cipher or protocol? Can I just add the missing TLS 1.0 / Client / Server keys and disable them? Should I try to target the cipher specifically? Or are there other options?


Solution 1:

Create and run the following PowerShell script:

# Enables TLS 1.2 on Windows Server 2008 R2 and Windows 7

# These keys do not exist so they need to be created prior to setting values.

 md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2"
 md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server"
 md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client"
 md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1"
 md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server"
 md "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client"

 # Enable TLS 1.2 for client and server SCHANNEL communications
 new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" -name "Enabled" -value 1 -PropertyType "DWord"
 new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" -name "DisabledByDefault" -value 0 -PropertyType "DWord"
 new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -name "Enabled" -value 1 -PropertyType "DWord"
 new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -name "DisabledByDefault" -value 0 -PropertyType "DWord"
 new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" -name "Enabled" -value 1 -PropertyType "DWord"
 new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" -name "DisabledByDefault" -value 0 -PropertyType "DWord"
 new-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" -name "Enabled" -value 1 -PropertyType "DWord"

Related

MongoDB won't run if dbPath is symlinked
Unable to change an int used in exception
LIGHTTPD - Page NOT found!
AWS Cognito authentication equivalent on google cloud platform - secure a web app using google id authentication
Windows POSReady 2009 Hyper-V'd on Windows Server 2016 (Azure VM) cannot connect to Internet
haproxy: adding tcplog parameters
Different methods of denying access in httaccess
Variable in loop on Python don't change [duplicate]
DNS - Use two wildcards on different domain levels
Is my KVM VM thin provisioned?
Understanding Azure Cosmos DB Free Tier
App Engine Updating service default Error