Forum Discussion

BillClark's avatar
BillClark
Copper Contributor
Feb 27, 2023

TLS 1.2 & Server 2019

Trying to get through some prerequisites for an application and it asks about TLS 1.2.  We are running Server 2019 and from all that I've Googled, it says that TLS 1.2 is enabled by default in Server 2019.  But, when I look for the registry keys that are posted everywhere to verify TLS 1.2 is enabled, I don't see those keys.  Also, when I run IIS Crypto from Nartac on the server in question, everything is greyed out, not showing as being enabled.  What is the correct answer here??  Do I need to add those registry keys for TLS 1.2 to be enabled, or is it enabled by default?  Very confused.

  • Hi BillClark 

    This might help too:
    https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/demystifying-schannel/ba-p/259233

     

    To answer your question, no, registry keys for supported TLS versions do not need to be present in

     

     

    Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

     

     

     

    in order to be enabled. I have registry keys only for TLS 1 and 1.1 in that location because I disabled them, so I'm using TLS 1.2 and 1.3 for everything else, without having their keys present in there.

     

    When you clean install Windows, that registry location is empty, so it doesn't tell us anything about whether a TLS version is enabled or disabled. Also, I've used IIS crypto before and it has bugs or design problems.

     

    P.S It's recommended to disable any previous TLS/SSL versions prior to 1.2 because they have known vulnerabilities.

     

    I've listed all the insecure ciphers, TLS 1, TLS 1.1 and MD5 hashing algorithm registry locations in a CSV file on my Github repository to disable them easily: https://github.com/HotCakeX/Harden-Windows-Security/blob/main/Payload/Registry.csv

     

    • BillClark's avatar
      BillClark
      Copper Contributor
      Yes, that is one of many articles I've seen with the registry keys, but the underlying issue continues to be, is TLS 1.2 enabled by default in Windows 2019 as Microsoft says it is, without those keys in place? Or is the presence of those keys THE defining factor if TLS 1.2 is enabled or not, regardless what Microsoft says should be turned on by default. I'd rather not add things to the registry if I don't have to.
      • HotCakeX's avatar
        HotCakeX
        MVP

        Hi BillClark 

        This might help too:
        https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/demystifying-schannel/ba-p/259233

         

        To answer your question, no, registry keys for supported TLS versions do not need to be present in

         

         

        Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

         

         

         

        in order to be enabled. I have registry keys only for TLS 1 and 1.1 in that location because I disabled them, so I'm using TLS 1.2 and 1.3 for everything else, without having their keys present in there.

         

        When you clean install Windows, that registry location is empty, so it doesn't tell us anything about whether a TLS version is enabled or disabled. Also, I've used IIS crypto before and it has bugs or design problems.

         

        P.S It's recommended to disable any previous TLS/SSL versions prior to 1.2 because they have known vulnerabilities.

         

        I've listed all the insecure ciphers, TLS 1, TLS 1.1 and MD5 hashing algorithm registry locations in a CSV file on my Github repository to disable them easily: https://github.com/HotCakeX/Harden-Windows-Security/blob/main/Payload/Registry.csv

         

Resources