Cracking SSL-encrypted communications has become easy, if not trivial, for a motivated attacker. In July 2016, the de facto standard for encrypting traffic on the web should be via TLS 1.2. In this post, you will learn how to disable SSL in Windows Server 2016, Windows 2012 R2, and Windows Server 2008 R2.
Latest posts by Robert Pearman ( see all )
- Disable SSL in Windows Server 2016 with PowerShell - Tue, Jul 19 2016
It would probably surprise you to learn that TLS 1.2 was first defined in 2008, with TLS 1.0 taking over from SSL 3.0 in the late ’90s. SSL 3.0 is now vulnerable to the much publicized POODLE attack, and SSL 2.0 to the DROWN attack as well as theFREAK attack.
It may surprise you even further to learn that most Windows Server 2008 R2 Servers will happily accept SSL 2.0 and SSL 3.0 in addition to TLS 1.0 out of the box, and that they WILL NOT support TLS 1.1 or 1.2 without the administrator specifically enabling it.
A recent test I performed on Windows Server 2016 TP5 shows that still today a default install will support SSL 3.0. However, all is certainly not lost, and our quest for better-secured servers can be helped drastically by setting just a few registry keys. I prefer to use PowerShell for this type of repetitive task.
To disable SSL 2.0 and SSL 3.0, simply paste the following into an elevated PowerShell window:
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -Force New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -nameEnabled -value 0 –PropertyTypeDWORD
Disable SSL 2.0
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -Force New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -nameEnabled -value 0 –PropertyTypeDWORD
Disable SSL 3.0
You should then enable TLS 1.1 and TLS 1.2:
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -Force New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -Force New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'Enabled' -value '0xffffffff' –PropertyTypeDWORD New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'DisabledByDefault' -value 0 –PropertyTypeDWORD New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'Enabled' -value 1 –PropertyTypeDWORD New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'DisabledByDefault' -value 0 –PropertyTypeDWORD
Enable TLS 1-1 1-2
Then, simply reboot your server and bask in the glory of a job well done!
Additionally, you can disable the RC4 Cipher, which will assist with preventing a BEAST attack. You need to consider the effect of disabling TLS 1.0 before you go ahead and do that, though, as a lot of older software requires patching to support it—specifically SQL Server 2008 R2, which is used in SBS 2011. Exchange 2010 and 2013 require patching to support TLS 1.2, and some applications will simply not function at all without it.
There are some very useful resources to assist with this type of configuration. IISCRYPTO is one of the most well-known: it’s a GUI-based tool to take care of these changes, mentionedhere in regard to the FREAK attack. I have also used this tool , which takes care of similar tasks but works in PowerShell.