Disable SSL in Windows Server 2016 with PowerShell

Datetime:2016-08-23 03:39:34          Topic: Windows Server  PowerShell           Share

Cracking SSL-encrypted communications has become easy, if not trivial, for a motivated attacker. In July 2016, the de facto standard for encrypting traffic on the web should be via TLS 1.2. In this post, you will learn how to disable SSL in Windows Server 2016, Windows 2012 R2, and Windows Server 2008 R2.

Robert Pearman

Robert is a small business specialist from the UK and currently works as a system administrator for IT Authority. He has been a Microsoft MVP for seven years and has worked as a technical reviewer for Microsoft Press. You can follow Robert in his blog .

Latest posts by Robert Pearman ( see all )

It would probably surprise you to learn that TLS 1.2 was first defined in 2008, with TLS 1.0 taking over from SSL 3.0 in the late ’90s. SSL 3.0 is now vulnerable to the much publicized POODLE attack, and SSL 2.0 to the DROWN attack as well as theFREAK attack.

It may surprise you even further to learn that most Windows Server 2008 R2 Servers will happily accept SSL 2.0 and SSL 3.0 in addition to TLS 1.0 out of the box, and that they WILL NOT support TLS 1.1 or 1.2 without the administrator specifically enabling it.

A recent test I performed on Windows Server 2016 TP5 shows that still today a default install will support SSL 3.0. However, all is certainly not lost, and our quest for better-secured servers can be helped drastically by setting just a few registry keys. I prefer to use PowerShell for this type of repetitive task.

To disable SSL 2.0 and SSL 3.0, simply paste the following into an elevated PowerShell window:

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -Force
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -nameEnabled -value 0 –PropertyTypeDWORD

Disable SSL 2.0

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -Force
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -nameEnabled -value 0 –PropertyTypeDWORD

Disable SSL 3.0

You should then enable TLS 1.1 and TLS 1.2:

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -Force
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -Force
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'Enabled' -value '0xffffffff' –PropertyTypeDWORD
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'DisabledByDefault' -value 0 –PropertyTypeDWORD
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'Enabled' -value 1 –PropertyTypeDWORD
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'DisabledByDefault' -value 0 –PropertyTypeDWORD

Enable TLS 1-1 1-2

Then, simply reboot your server and bask in the glory of a job well done!

Additionally, you can disable the RC4 Cipher, which will assist with preventing a BEAST attack. You need to consider the effect of disabling TLS 1.0 before you go ahead and do that, though, as a lot of older software requires patching to support it—specifically SQL Server 2008 R2, which is used in SBS 2011. Exchange 2010 and 2013 require patching to support TLS 1.2, and some applications will simply not function at all without it.

There are some very useful resources to assist with this type of configuration. IISCRYPTO is one of the most well-known: it’s a GUI-based tool to take care of these changes, mentionedhere in regard to the FREAK attack. I have also used this tool , which takes care of similar tasks but works in PowerShell.

I have written more about SBS 2011 Standard and PCI Compliance here , and Windows Server Essentials here .





About List