How and why to disable TLS 1.0 and TLS 1.1 in Windows Server

Due to the lack of security provided by the legacy TLS 1.0 and TLS 1.1 protocols, it is recommended that you disable them and use the newer versions of TLS 1.2 and TLS 1.3. In the article, we will briefly discuss the differences between old and new implementations of this protocol, and also analyze three ways to disable TLS 1.0 and TLS 1.1: through the registry, PowerShell commands, or the command line.

The growing activity of cyber attacks is forcing system administrators to implement increasingly secure communication protocols in order to protect resources and networks. TLS plays the most important role in this process. TLS is a transport layer security protocol used to encrypt communications between clients and servers. The latest versions of this protocol are TLS 1.2 And TLS 1.3which offer many advantages over the previous ones.

Today, version 1.2 is most commonly used, but 1.3 is also gaining popularity due to its efficiency and high speed. As a system administrator, to improve the security of your accountable infrastructure, you should use TLS 1.2 or TLS 1.3 in Windows Server, but this alone will not be enough. It is also necessary to disable TLS 1.0 and TLS 1.1, since today their level of security is no longer sufficient.

Before moving on to how to disable TLS 1.0 and TLS 1.1 in Windows Server, we will analyze the features of these versions and clarify the reasons for disabling them.

Content

• A little about the features of TLS 1.0 and TLS 1.1
• Why do I need to disable TLS 1.0 and TLS 1.1 on Windows Server?
• TLS 1.0 and TLS 1.1 Vulnerabilities
• What is the alternative to TLS 1.0 and TLS 1.1?
• How to disable TLS 1.0 and TLS 1.1 in Windows Server?
  

  • Method 1: Disabling manually through the registry
  • Method 2: Disable using PowerShell commands
  • Method 3: disable via command line

A little about the features of TLS 1.0 and TLS 1.1

TLS is a cryptographic protocol that ensures the security of data transmission over the Internet.

TLS 1.0 was released in 1999, and TLS 1.1 was released as an update in 2006. Today, both of these versions are outdated and no longer secure.

Why should TLS 1.0 and TLS 1.1 be disabled on Windows Server?

There are several reasons for disabling TLS 1.0 and TLS 1.1:

1. These versions are no longer considered safe due to their vulnerability to various attacks, such as POODLE.
2. Disabling TLS 1.0 and TLS 1.1 on the server will force clients to use the more secure version of TLS 1.2.
3. Some government agencies, such as the National Security Agency (NSA), recommend disabling TLS 1.0 and TLS 1.1.
4. Microsoft has stopped providing security updates for Windows Server using TLS 1.0 or TLS 1.1.
5. Many leading software vendors, including Google, Microsoft, Mozilla, and Apple, have stopped supporting these versions.

TLS 1.0 and TLS 1.1 Vulnerabilities

TLS 1.0 and TLS 1.1 have a number of known vulnerabilities that can be exploited by hackers. These include:

• POODLE (Padding Oracle On Downgraded Legacy Encryption),
• BEAST (Browser Exploit Against SSL/TLS),
• CRIME (Compression Ratio Info-leak Made Easy),
• FREAK (Factoring Attack on RSA-EXPORT Keys),
• LOGJAM (Diffie-Hellman Key Exchange Weakness).

These vulnerabilities allow man-in-the-middle attacks, decrypt sensitive information, and hijack user sessions. By disabling TLS 1.0 and TLS 1.1 on your server, you can protect yourself from these attacks.

What is the alternative for TLS 1.0 and TLS 1.1?

The latest version of the protocol is TLS 1.3. It was released in 2018 and includes a number of security improvements. We recommend using this version instead of the legacy TLS 1.0 and TLS 1.1.

As for TLS 1.2, it surpasses TLS 1.1 with support for elliptic cryptography (ECC) and the presence of new cryptographic suites that provide a higher level of security. TLS 1.3, in turn, is superior to TLS 1.2 in that it simplifies the handshake process and makes it more resistant to man-in-the-middle attacks. In addition, this version uses new cryptographic sets that provide an even higher level of security.

Both TLS 1.2 and TLS 1.3 are backward compatible with TLS 1.0 and TLS 1.1. This means that a client using TLS 1.2 can communicate with a server using TLS 1.1 and vice versa. But at the same time, TLS 1.2 and TLS 1.3 themselves are incompatible with each other.

As already mentioned, the latest version of the protocol is gradually gaining popularity. Many leading browsers including Chrome, Firefox and Edge already support it. In addition, major ISPs such as Cloudflare and Akamai have also started supporting TLS 1.3 on their servers.

If you are interested in a more detailed comparison of implementations of this protocol for different servers and clients, I recommend taking a look at this page.

And below I will give a series of articles on the features of TLS 1.2 and TLS 1.3:

How to disable TLS 1.0 and TLS 1.1 in Windows Server?

Next, we will look at 3 ways to disable TLS 1.0 and TLS 1.1 in Windows Server. You can choose the most suitable one depending on your technical and automation skills.

1. Disabling manually through the registry.
2. Disable using PowerShell commands.
3. Shutdown via command line.

Note

: Microsoft has openly stated that they no longer support TLS 1.0 and TLS 1.1 on Windows operating systems and do not provide patches for these versions. You can check out

this table

which shows TLS support in various Windows operating systems.

▍ Method 1: Manually disable TLS 1.0 and TLS 1.1 through the registry

It will take 15 minutes.

1. Run the regedit utility.

Open the window Runenter regedit and click OK.

2. Create a new section.

In the registry editor, follow the path:

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols.

Create a new partition by right clicking on

Protocols

–>

New

–>

key

.

3. TLS 1.0 registry key naming.

Name the created section TLS 1.0.

4. Creation of the Client registry key in TLS 1.0.

In addition to the step above, create in TLS 1.0 chapter clientas shown in the screenshot.

5. Create a new DWORD (32-bit) Value in Client.

Create a new parameter by right clicking on client –> New –> DWORD (32-bit) Value.

6. Naming the DWORD (32-bit) Value as Enabled.

Name the DWORD (32-bit) Value Enabledby setting it to a hexadecimal value 0.

7. Creation of the DisabledByDefault parameter in TLS 1.0.

Similarly, create a parameter DisabledByDefault with hexadecimal value 1.

8. Creation of the Server section and corresponding parameters.

Similar to the steps above, create in Protocols chapter serveras well as registry settings DWORD (32-bit) Value And Enabledas shown below.

9. Disable TLS 1.1 in Windows Server.

To disable TLS 1.1, create in Protocols chapter TLS 1.1and in it the sections and parameters given below:

> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client\Enabled с шестнадцатеричным значением 0
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client\DisabledByDefault с шестнадцатеричным значением 1
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server\Enabled с шестнадцатеричным значением 0
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server\DisabledByDefault с шестнадцатеричным значением 1

▍ Method 2: Disable TLS 1.0 and TLS 1.1 using PowerShell commands

The following simple procedure will disable TLS 1.0 and TLS 1.1 with Powershell commands.

1. Open Powershell as administrator.

2. Run the following commands to create registry entries.

- New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Force
- New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' –PropertyType 'DWORD' -Name 'Enabled' -Value '0' 
- New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' –PropertyType 'DWORD' -Name 'DisabledByDefault' -Value '1' 

- New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -Force
- New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -PropertyType 'DWORD' -Name 'Enabled' -Value '0'
- New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' –PropertyType 'DWORD' -Name 'DisabledByDefault' -Value '1' 


- New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -Force
- New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' –PropertyType 'DWORD' -Name 'Enabled' -Value '0' 
- New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' –PropertyType 'DWORD' -Name 'DisabledByDefault' -Value '1' 

- New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -Force
- New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -PropertyType 'DWORD' -Name 'Enabled' -Value '0'
- New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' –PropertyType 'DWORD' -Name 'DisabledByDefault' -Value '1'

Before executing the commands, you will see that in

Protocols

there are no parameters.

After their execution, two sections will be created:

TLS 1.0

And

TLS 1.1

. Under each protocol there are sections

client

And

server

inside which there are two parameters:

DisableByDefault

And

Enabled

.

▍ Method 3: Disable TLS 1.0 and TLS 1.1 on Windows Server via command line

1. Open a command prompt as an administrator.

2. Run the following commands to create registry entries.

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" /v Enabled /t REG_DWORD /d 0 /f 
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" /v DisabledByDefault /t REG_DWORD /d 1 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" /v Enabled /t REG_DWORD /d 0 /f reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" /v DisabledByDefault /t REG_DWORD /d 1 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /v Enabled /t REG_DWORD /d 0 /f reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" /v DisabledByDefault /t REG_DWORD /d 1 /f

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" /v Enabled /t REG_DWORD /d 0 /f reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" /v DisabledByDefault /t REG_DWORD /d 1 /f

I hope this article helped you figure out how to disable TLS 1.0 and TLS 1.1 on Windows Server.

Telegram channel with prize draws, IT news and posts about retro games 🕹️