IT Nota

  • Home
  • How To
  • .NET
  • WordPress
  • Contact
You are here: Home / How To / How to Enable TLS 1.2 as the Default Security Protocol on Windows Servers

How to Enable TLS 1.2 as the Default Security Protocol on Windows Servers

Transport Layer Security (TLS) are cryptographic protocols designed to provide communications security over a computer network, typically between a website and a browser.

TLS 1.0 and its deprecated predecessor, SSL are vulnerable to some well-known security issues such as POODLE and BEAST attacks. According to NIST, these vulnerabilities cannot be fixed or patched, therefore all companies, especially banks and other financial institutions who are notoriously slow in upgrading theirs systems, need to upgrade to a secure alternative as soon as possible, and disable any fallback to both SSL and the older TLS 1.0.

As of 30 June 2018, SSL and TLS 1.0 should be disabled and more secure encryption protocol such as TLS 1.2 (or at the minimum TLS 1.1) is required to meet the PCI Data Security Standard (PCI DSS) for safeguarding payment data.

The next question then how on do we enable TLS 1.2 on Windows Servers? Especially on older servers such as Windows Server 2008 as many companies are not on the latest and greatest operating systems?

This post will address what to look for and how to enable TLS 1.2 as the default protocol for Windows Server 2012 R2 or older.

IMPORTANT: As always and it’s worth repeating, you need to backup your current registry settings before attempting any of these changes on your servers.

Enable TLS 1.2 on Windows Servers 2008 SP2 or later

The blanket statement to enable your TLS 1.2 on your server from Windows Server 2008 SP2 or later. Microsoft provided an update to add support for TLS 1.1 and TLS 1.2 for Windows Server 2008, but it requires Windows Server 2008 SP2 installed.

So just to state the obvious, TLS 1.1 and TLS 1.2 are not supported for 32-bit Windows Server 2008 SP1.

  1. Launch regedit.exe.

  2. In registry, go to:

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
    
  3. Create a new DWORD entry with a name TLS 1.2 and create another subkey Client and Server.

  4. Under the subkey Server, create another DWORD Enabled with a value of 1.

  5. Still under the subkey Server, create a DWORD DisabledByDefault with a value of 0.

  6. You must create a subkey DisabledByDefault entry in the appropriate subkey (Client, Server) and set the DWORD value to 0 since this entry is set to 1 by default.

    Windows 2008 Standard enabling TLS 1.2

  7. Reboot the server and test.

Enable TLS 1.2 on .NET Framework 3.5 (including 2.0)

.NET Framework 3.5 or earlier did not originally provide support of applications to use TLS System Default Versions as a cryptographic protocol. However, for Windows Server 2012 R2, check if KB3154520 is installed (or KB3154519 for Windows Server 2012; KB3154518 for Windows Server 2008 R2; KB3154517 for Windows Server 2008 SP2).

How to check the KB updates

  1. Right-click on the Windows button and select Programs and Features.

    Windows Server 2012 R2 Programs and Features

  2. On Programs and Features window, click onthe View installed updates on the left pane.

    Windows Server 2012 R2 View installed updates

  3. You will see a list of the updates that you can narrow down or do a very specific search by using the Search Installed Updates box. You can type in the KB number (i.e., “KB3154520”).

    Windows Server 2012 R2 KB3154520 update

  4. If the corresponding KB is already installed, we just need to enable it via registry change. Otherwise, you need to install the patch from either of the links for Windows Server 2012 R2 (or use the same corresponding links above for earlier versions of Windows Server).

Registry Change

  1. Launch regedit.exe.

  2. Go to:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727
    
  3. Create a new entry SystemDefaultTlsVersions with a DWORD value set to 1.

  4. Create a new entry SchUseStrongCrypto with a DWORD value set to 1.

  5. Go to:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319
    
  6. Create a new entry SystemDefaultTlsVersions with a DWORD value set to 1.

  7. Create a new entry SchUseStrongCrypto with a DWORD value set to 1.

  8. For 64-bit OS, the same changes also needed for the following locations:

      HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727
    
  9. Create a new entry SystemDefaultTlsVersions with a DWORD value set to 1.

  10. Create a new entry SchUseStrongCrypto with a DWORD value set to 1.

  11. Go to:

      HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319
    
  12. Create a new entry SystemDefaultTlsVersions with a DWORD value set to 1.

  13. Create a new entry SchUseStrongCrypto with a DWORD value set to 1.

  14. Test.

Windows Server 2012 R2 TLS default

Enable TLS 1.2 as default for WinHTTP

This may be applicable for any Classic ASP or VB6 applications that use WinHTTP. Prior to Windows 10 and Windows Server 2016, TLS 1.1 or 1.2 is not enabled by default for client-server communications through WinHTTP.

To set TLS 1.2 by default, do the following:

  1. Create a registry entry DefaultSecureProtocols on the following location:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
    
  2. Set the DWORD value to 800 for TLS 1.2.

  3. For 64-bit OS, repeat step 1 and 2 on the following location:

      HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
    
  4. Reboot the server and test.

Windows Server 2012 R2 DefaultSecureProtocols registry entry

Windows 10 and Windows Server 2016/2019 support TLS 1.2 for client-server communications by using WinHTTP.

Buy me a coffee?

Buy me a coffee If you find this post helpful and would like to buy me a coffee to support the work here, you’ll have our big thanks!
Support IT Nota: Buy Me a Coffee

Further Reading

Update to enable TLS 1.1 and TLS 1.2 as default secure protocols in WinHTTP in Windows
TLS/SSL Settings
How to enable TLS 1.2 for Configuration Manager
Transport Layer Security (TLS) best practices with the .NET Framework
Support for TLS System Default Versions included in the .NET Framework 2.0 SP2 on Windows Vista SP2 and Server 2008 SP2
Support for TLS System Default Versions included in the .NET Framework 3.5.1 on Windows 7 SP1 and Server 2008 R2 SP1
Support for TLS System Default Versions included in the .NET Framework 3.5 on Windows Server 2012
Support for TLS System Default Versions included in the .NET Framework 3.5 on Windows 8.1 and Windows Server 2012 R2
How to enable TLS 1.2 on the site servers and remote site systems
Use Case Scenario: Known issues connecting SSRS Server 2016 (new) to SQL Server 2008 (old) with TLS

Download

Solving the TLS 1.0 Problem (MS Word document)

October 12, 2018 Filed Under: How To Tagged With: Information Security, Microsoft, Windows Server

Comments

  1. Thiago says

    February 2, 2022 at 4:18 am

    Thank you very much, it helped me here, using server 2012r2, just update the .NET Framework information in the registry

    Reply
    • platt says

      February 2, 2022 at 11:19 am

      That’s great Thiago. Thanks for your feedback.

      Reply
  2. Charlie says

    April 23, 2021 at 11:26 am

    Thank you very much for this article! it is really useful.
    May I ask the point of making these changes to key: v4.0.30319
    The MS KB articles only list v2.0.50727
    Thank you!

    Reply
    • platt says

      May 4, 2021 at 8:48 pm

      Hi Charlie,

      I’m strictly answering out of memory here in our effort at the time, we had to change both to enable TLS 1.2 on .NET 4 as well even though the KB only showed 2.0. Now, Microsoft just released a new document that includes both 2.0 and 4.0.

      How to enable TLS 1.2 on the site servers and remote site systems

      Reply
  3. Abhijit says

    March 29, 2021 at 9:46 pm

    if TLS 1.2 is enabled by default on windows 2016 server but i don’t see any entries for TLS 1.2 when checking the registry.

    Reply
    • platt says

      April 1, 2021 at 5:35 pm

      You wouldn’t see it because it’s already active by default so you don’t have to add any values for it to be turned on. You only need to do so if for any reason you need to disable it.

      Reply
  4. Juan Pablo says

    October 1, 2020 at 12:07 pm

    Hi. Do you need to restart the server after making the registry changes?

    Reply
    • platt says

      October 6, 2020 at 6:04 pm

      Hi Juan, not all the time! I made sure that when a server reboot is needed I put that in as the last step. But when in doubt and you don’t risk interrupting any production applications, it’s always good to restart.

      Reply
  5. MALIK ADEEL IMTIAZ says

    July 2, 2019 at 11:58 pm

    Dear Guru,

    If we have Windows 2016 and following protocols are enabled on it.

    TLS 1.0
    Client = Enable
    Server = Enable

    TLS 1.1
    Client = Enable
    Server = Enable

    TLS 1.2
    Client = Enable
    Server = Enable

    Then in the above case, if the client will connect the server, which protocol will call first and the client will stop on which protocol.

    Thanks
    Malik Adeel Imtiaz

    Reply
    • movisajid says

      July 21, 2019 at 1:16 am

      @MALIK ADEEL IMTIAZ
      it depend on your client request.
      i disable 1.0 and 1.0 on my servers and keep pc/server updated.

      Reply
  6. Steve says

    March 28, 2019 at 7:19 am

    When i try to install the KB for server 2012R2, it tells me its not applicable for my operating system

    Reply
    • platt says

      March 28, 2019 at 9:37 am

      Hi Steve,

      The KB # is very specific to your Server OS, make sure you get the correct one (KB3154520). Even between 2012 and 2012 R2 have different KB number. If it’s already installed, it will also give you the same message.Did you check if it’s already on your server?

      Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Buy me a coffee Support this site
Buy Me a Coffee?

Categories

  • .NET
  • Coding
  • Cybersecurity
  • Database
  • How To
  • Internet
  • Multimedia
  • Photography
  • Programming
  • Resources
  • Review
  • Tips and Tricks
  • Use Case
  • WordPress
  • Writing

Recent Posts

  • How to Check Installed .NET Framework Version
  • How to Remove .NET Runtime and SDK on Mac
  • How to Solve Intermittent 403 Error in IIS
  • How to Show Hidden Folders and Files in Mac Finder
  • How to Solve MS Office VBA Compile Error UserAuthentication

Recent Posts

  • How to Check Installed .NET Framework Version
  • How to Remove .NET Runtime and SDK on Mac
  • How to Solve Intermittent 403 Error in IIS
  • How to Show Hidden Folders and Files in Mac Finder
  • How to Solve MS Office VBA Compile Error UserAuthentication
  • RSS

Tags

.NET Access AdSense ASP.NET Cdonts Dll Classic ASP Code Editor ETL FSharp Genesis Framework Git Google HP Asset Manager HTML HTML5 Hugo IIS Information Security Internet Internet Information Services iOS JAMStack Linux macOS Microsoft Microsoft SQL Server MVC PHP Python Simple Mail Transfer Protocol Smtp Server Social Media SQL SQL Server SSIS SSMS SSRS Sublime Text Visual Studio Visual Studio Code VPN Windows Windows 8 Windows 10 Windows Server

Copyright © 2011-2022 IT Nota. All rights reserved. Terms of Use | Privacy Policy | Disclosure