28 October 2014

How to Enable TLS 1.1, TLS 1.2 on Windows Server 2008 R2 and IIS 7.5

Written by Rahul K.

Now a days there are a SSL vulnerability called POODLE discovered by Google team in SSLv3 protocol. So uses of SSLv3 is not secure to use. Now its recommended to use TLS 1.1 or TLS 1.2. This article will help you enable TLS security in Windows Server 2008 R2 or later versions by editing registry.

Step 1: Backup Registry Values

We strongly recommend to take a backup of registry before making any changes. Use below link to find steps to how to export registry values.

http://windows.microsoft.com/en-in/windows/back-up-registry

Step 2: Enable TLS 1.1 and TLS 1.2

2.1 Open registry on your server by running ‘regedit‘ in run window and navigate to below location.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

2.2 Add the TLS 1.1 and TLS 1.2 keys under Protocols. It will looks like directories.

2.3 Now create two keys Client and Server under both TLS keys.

2.4 Now create the DWORD Values under Server and Client key as following

  DisabledByDefault [Value = 0]
  Enabled [Value = 1]

Step 3: Disable SSLv3 and Older Version

3.1 Open registry on your server by running ‘regedit’ in run window and navigate to below location.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

3.2 Now change DWORD Values under Server and Client under SSLv3 and Older SSL version keys.

  DisabledByDefault [Value = 0]
  Enabled  [Value = 0]

After making all above setting reboot your server.

Rahul K.

I, Rahul Kumar is the founder and chief editor of TecAdmin.net. I am Red Hat Certified Engineer (RHCE) and working as IT professional since 2009.

14 Comments

Ed Reply to Ed

June 10, 2016 at 3:47 pm

I am running Server 21012R2, and made all the suggested changes. Still, I get the handshake error when using Chrome. Is there anything else that must be done, downloaded, upgraded, whatever, to make Chrome work again?
- Ed Reply to Ed
  
  June 28, 2016 at 12:12 pm
  
  If, like me, after making the suggested registry edits, you continue to receive the handshake fallback error, this might help:
  https://support.microsoft.com/en-us/kb/2992611
  
  This is an update that came out in 2014, but had not been installed on my server. It is a fix to a vulnerability in SChannel. After installation, Chrome displays my site properly.
MpDay Reply to MpDay

December 10, 2015 at 11:27 pm

Ugo Meex, you have made my day! This is the official Golden TIP of the month! Took me 4 days to investigate why Windows 10 1511 (fall update) clients couldn’t connect to our RADIUS Wi-Fi network anymore. With your tool, it took me 3 mouse clicks and 1 reboot…. everything solved.
curly Reply to curly

May 13, 2015 at 4:28 pm

It should be made very clear that this works for Server 2008 R2 and later, but *will not* work for “Server 2008” (which also means, it will not work for SBS 2008 either). Unfortunately, the article title is misleading; TLS 1.1/1.2 are not supported prior to Server 2008R2 and SBS 2011 on the server side.
Ugo Meex Reply to Ugo

April 30, 2015 at 2:49 am

While this article is certainly very useful, in a windows environment it would be far easier to use the IISCrypto tool by Nartac Software. It’s small, it’s free, it’s easy to use.

Rather than having to read and edit the registry, this utility gives you a GUI to make these changes.
It also offers 1 click config for: Best practices, PCI and FIPS 140-2
https://www.nartac.com/Products/IISCrypto/

Same result, but faster and certainly easier. 🙂
Mike Varga Reply to Mike

March 4, 2015 at 8:23 pm

These instructions have been tested as incomplete… They do not disable the protocols properly… We’ve used the following script to resolve the issue successfully…

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocols]

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 2.0]

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 2.0Client]
“DisabledByDefault”=dword:00000001

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 2.0Server]
“Enabled”=dword:00000000

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 3.0]

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 3.0Client]
“DisabledByDefault”=dword:00000001
“Enabled”=dword:00000000

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 3.0Server]
“Enabled”=dword:00000000

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.1]

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.1Client]
“Enabled”=dword:00000001
“DisabledByDefault”=dword:00000000

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.1Server]
“DisabledByDefault”=dword:00000000
“Enabled”=dword:00000001

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.2]

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.2Client]
“DisabledByDefault”=dword:00000000
“Enabled”=dword:00000001

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.2Server]
“DisabledByDefault”=dword:00000000
“Enabled”=dword:00000001

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.0]

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.0Client]
“Enabled”=dword:00000000
“DisabledByDefault”=dword:00000001

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.0Server]
“DisabledByDefault”=dword:00000001
“Enabled”=dword:00000000
- Payton Reply to Payton
  
  April 6, 2016 at 5:42 pm
  
  Your script does the exact same thing as the manual instructions listed in this article, how is it incomplete?
  - Kris Reply to Kris
    
    June 27, 2016 at 9:54 am
    
    for ssl 2.0 you have DisabledByDefault [Value = 0] but the script does “DisabledByDefault”=dword:00000001
    - Vikas Reply to Vikas
      
      June 29, 2016 at 5:54 pm
      
      I ran this script and it did nothing. I have Server 2008 R2. FYI, I do not have TSL 1.0 and 2.0 but if I am not wrong this script should create entries for these.
      Thanks
Ken Nelson Reply to Ken

January 15, 2015 at 9:24 pm

This will not work on Windows Server 2008 SP2 but does work on Windows Server 2008 R2.
TLS 1.1 and TLS 1.2 does not seem to come with Windows Server 2008 SP2, a bit of an issue for me.
Greg Reply to Greg

December 22, 2014 at 8:48 pm

Hi Rahul, thanks for this. Shouldn’t your Step 3.2 be: DisabledByDefault [Value = 1] rather than [Value = 0] to disable by default?
- Ryan Reply to Ryan
  
  December 26, 2014 at 3:02 pm
  
  Greg,
  
  No. By setting the value of DisabledByDefault to 1, you are making the value true, thus disabling the protocol “by default”.
  - Payton Reply to Payton
    
    April 6, 2016 at 5:46 pm
    
    Isn’t disabling the SSL protocols by default exactly what is wanted?
Moe Reply to Moe

December 13, 2014 at 3:53 pm

Will this instruction to add TLS 1.1 and TLS 1.2 work on Windows 2008 Standard version?