Forum Discussion
TLS 1.2 & Server 2019
Hi BillClark
This might help too:
https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/demystifying-schannel/ba-p/259233To answer your question, no, registry keys for supported TLS versions do not need to be present in
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocolsin order to be enabled. I have registry keys only for TLS 1 and 1.1 in that location because I disabled them, so I'm using TLS 1.2 and 1.3 for everything else, without having their keys present in there.
When you clean install Windows, that registry location is empty, so it doesn't tell us anything about whether a TLS version is enabled or disabled. Also, I've used IIS crypto before and it has bugs or design problems.
P.S It's recommended to disable any previous TLS/SSL versions prior to 1.2 because they have known vulnerabilities.
I've listed all the insecure ciphers, TLS 1, TLS 1.1 and MD5 hashing algorithm registry locations in a CSV file on my Github repository to disable them easily: https://github.com/HotCakeX/Harden-Windows-Security/blob/main/Payload/Registry.csv
You could follow along here to add the correct registry settings.
Transport Layer Security (TLS) registry settings | Microsoft Learn
- Yes, that is one of many articles I've seen with the registry keys, but the underlying issue continues to be, is TLS 1.2 enabled by default in Windows 2019 as Microsoft says it is, without those keys in place? Or is the presence of those keys THE defining factor if TLS 1.2 is enabled or not, regardless what Microsoft says should be turned on by default. I'd rather not add things to the registry if I don't have to.
Hi BillClark
This might help too:
https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/demystifying-schannel/ba-p/259233To answer your question, no, registry keys for supported TLS versions do not need to be present in
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocolsin order to be enabled. I have registry keys only for TLS 1 and 1.1 in that location because I disabled them, so I'm using TLS 1.2 and 1.3 for everything else, without having their keys present in there.
When you clean install Windows, that registry location is empty, so it doesn't tell us anything about whether a TLS version is enabled or disabled. Also, I've used IIS crypto before and it has bugs or design problems.
P.S It's recommended to disable any previous TLS/SSL versions prior to 1.2 because they have known vulnerabilities.
I've listed all the insecure ciphers, TLS 1, TLS 1.1 and MD5 hashing algorithm registry locations in a CSV file on my Github repository to disable them easily: https://github.com/HotCakeX/Harden-Windows-Security/blob/main/Payload/Registry.csv
1. Open the website you are interested to know the security type.
2. Press F12
3. Navigate to security tab Security image
4. Under the connections the authentication type will be displayed Connection - secure connection settings The connection to this site is encrypted and authenticated using TLS 1.2
