Forum Discussion
BillClark
Feb 27, 2023Copper Contributor
TLS 1.2 & Server 2019
Trying to get through some prerequisites for an application and it asks about TLS 1.2. We are running Server 2019 and from all that I've Googled, it says that TLS 1.2 is enabled by default in Server 2019. But, when I look for the registry keys that are posted everywhere to verify TLS 1.2 is enabled, I don't see those keys. Also, when I run IIS Crypto from Nartac on the server in question, everything is greyed out, not showing as being enabled. What is the correct answer here?? Do I need to add those registry keys for TLS 1.2 to be enabled, or is it enabled by default? Very confused.
Hi BillClark
This might help too:
https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/demystifying-schannel/ba-p/259233To answer your question, no, registry keys for supported TLS versions do not need to be present in
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
in order to be enabled. I have registry keys only for TLS 1 and 1.1 in that location because I disabled them, so I'm using TLS 1.2 and 1.3 for everything else, without having their keys present in there.
When you clean install Windows, that registry location is empty, so it doesn't tell us anything about whether a TLS version is enabled or disabled. Also, I've used IIS crypto before and it has bugs or design problems.
P.S It's recommended to disable any previous TLS/SSL versions prior to 1.2 because they have known vulnerabilities.
I've listed all the insecure ciphers, TLS 1, TLS 1.1 and MD5 hashing algorithm registry locations in a CSV file on my Github repository to disable them easily: https://github.com/HotCakeX/Harden-Windows-Security/blob/main/Payload/Registry.csv
You could follow along here to add the correct registry settings.
Transport Layer Security (TLS) registry settings | Microsoft Learn
- BillClarkCopper ContributorYes, that is one of many articles I've seen with the registry keys, but the underlying issue continues to be, is TLS 1.2 enabled by default in Windows 2019 as Microsoft says it is, without those keys in place? Or is the presence of those keys THE defining factor if TLS 1.2 is enabled or not, regardless what Microsoft says should be turned on by default. I'd rather not add things to the registry if I don't have to.
Hi BillClark
This might help too:
https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/demystifying-schannel/ba-p/259233To answer your question, no, registry keys for supported TLS versions do not need to be present in
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
in order to be enabled. I have registry keys only for TLS 1 and 1.1 in that location because I disabled them, so I'm using TLS 1.2 and 1.3 for everything else, without having their keys present in there.
When you clean install Windows, that registry location is empty, so it doesn't tell us anything about whether a TLS version is enabled or disabled. Also, I've used IIS crypto before and it has bugs or design problems.
P.S It's recommended to disable any previous TLS/SSL versions prior to 1.2 because they have known vulnerabilities.
I've listed all the insecure ciphers, TLS 1, TLS 1.1 and MD5 hashing algorithm registry locations in a CSV file on my Github repository to disable them easily: https://github.com/HotCakeX/Harden-Windows-Security/blob/main/Payload/Registry.csv