How to Disable TLS 1.0, 1.1 and SSL on Your Windows Server

The internet moves on and the next big thing that gets dropped is the support for older versions of TLS (Transport Layer Security). If you not already have done so, now would be a good time to check that your server understands TLS 1.2 and disable the older versions of TLS on your web servers.

A few months back I did a write-up on how to do get TLS 1.2 on a Windows Server 2008 R2. The same commands and registry keys help you to get rid of the old protocols on newer versions of Windows Server as well.

A simple way to check the configuration of your server is to enter your domain into the SSL Server Test from Qualys. After a few minutes you should see a detailed report that shows you the health of your server. In the configuration section you find the supported protocols of your server (here TLS 1.0, 1.1 and 1.2 are active):

Old TLS versions still activedeactivate

When TLS 1.2 is active, you can safely disable all the other protocols. However, if TLS 1.2 is not active, you first need to activate it. Otherwise your users will no longer be able to connect to your web server.

Before you make any changes to the registry, you must make a backup. If something goes wrong, you can go back and do not need to reinstall your server.

You can copy these lines in a file ending with *.reg and execute it:

If everything works you should get a success message at the end. To activate these changes, you now need to reboot your server.

As soon as your website is back up, you can rerun the SSL Server Test. If you get the exact same result back, you need to clear the cache by clicking on the link with that text right at the top. Now you should get a much better result and all the old protocols should be disabled:

Old TLS versions deactivated

With this little changes your Windows Server is now ready for the changes in the browsers that will rollout over the next weeks. Unfortunately, you cannot disable the old protocols on all your Windows Server. If you do so, some of your SQL Servers will no longer work. How to fix those problems will be the topic of next week’s post.

18 thoughts on “How to Disable TLS 1.0, 1.1 and SSL on Your Windows Server”

  1. when I disable TLS1.1 and other are not enable, I still can connect to WEB client for the first time. anyway, the second time will reject the connect , do you know what happened?

    Reply
    • Hi Sherry,
      That sounds strange. I have no idea how this happens and what to do to fix it.

      Regards,
      Johnny

      Reply
        • Hi Ashwini,
          You can use the same registry keys as I wrote down in the blog post. But make sure that you activate TLS 1.2 before you turn off 1.0 and 1.1.

          Regards,
          Johnny

          Reply
  2. If we have disable TLS 1.0,1.1 and enable TLS1.2 Only .Application on servers will be effected or not(Any downtime)?

    Reply
    • Hi SyedArslan,
      The commands in this post change the registry and it is strongly recommended to reboot your system to apply those changes. Therefore, you will get a downtime for the reboot.

      Regards,
      Johnny

      Reply
      • Hi Johnny, very clear instructions. But maybe good to mention that not every Application which is installed on the (web)server is automatically TLS 1.2. supported. For instance, if you have an application which is using webservices for external connections (e.g. SOAP), you might be in trouble after disabling TLS 1.1 hand have to do a rollback/re-enable TLS 1.1.

        Reply
  3. Hello I have set by directly going into registry via regedit and did all the changes as mentioned above and restarted the system but when i again do ssl scan by clearing cache..it is still showing tls 1.0 and 1.1 in result……..please help

    Reply
    • Hi sachin,
      That happens often when you make a typo in any of the names. That is the reason why I always run the script. I suggest you run the script as well. If this is not possible, export your current registry for the protocols around security and then take a DIFF tool to check where they differ.

      Regards,
      Johnny

      Reply
  4. Hello , I am calling one third party API ,third party is using TLS 1.2 version.
    At my server side I have configured TLS 1.2 version at all the places.
    but while calling the third party API, Over network Data packets automatically TLS 1.0
    is appending. this is happening runtime. even after disabling the TLS 1.0
    please anyone have idea about this why this happening.

    Reply
    • Hi Anil,
      Does the tool that calls the third party API support TLS 1.2? A lot of older tools that predate TLS 1.2 will not work, even when your server supports it.

      Can you tell me how you try to call the third party API and which version your tools/frameworks have?

      Regards,
      Johnny

      Reply
  5. can we disable TLS 1.1 protocol on Domain Controllers ? What will be the impact on active directory ?

    Reply
    • Hi Sachin,
      Sorry, I have no knowledge of Domain Controllers and the Active Directory. I would backup the existing registry, apply the settings to one of the Domain Controllers and test what happens. If something goes wrong, restore the backup.

      Regards,
      Johnny

      Reply
    • Disabling TLS 1.1 protocol on Domain Controllers will disrupt any domain applications authenticating against the Domain controller using TLS 1.1. If you have a segmented network for development/testing, may want to disable only for the dev segment. To see who screams, re-enable until the application(S) in development can migrate to TLS 1.2. Get Management authorization before pursing this path. Rinse and repeat in the test domain segment. This should allow for all applications to be identified and brought to the current TLS v1.2 or higher. Encourage them to support 1.3 as well where available to ease future SSL v1.3 version migrations.

      Reply
  6. Johnny, how can I make sure that TLS 1.0, 1.1 is disabled completely. After scanning an application it found vulnerabilities within that scan and the developers are telling me and showing me that it’s fixed. would this be a load balancer issue, a server issue, a certificate issue?

    Any help would be appreciated.

    Thanks.

    Reply
    • Hi Norm,
      The more complex the infrastructure, the more challenging is it to figure out what server is not correctly configured. To pinpoint the configuration mistake, I would check with the operations team how the traffic to the application flows through the infrastructure and pick any point between your end-users and the application to check if the problem can be detected there. If so, the problem may be between that point and the application. If there is no problem, then something between that point and the end users may be wrong.

      Regards,
      Johnny

      Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.