Forum Discussion

BillClark's avatar
BillClark
Copper Contributor
Feb 27, 2023
Solved

TLS 1.2 & Server 2019

Trying to get through some prerequisites for an application and it asks about TLS 1.2.  We are running Server 2019 and from all that I've Googled, it says that TLS 1.2 is enabled by default in Server...
security
TLS 1.2
  • HotCakeX's avatar
    HotCakeX
    Feb 28, 2023

    Hi BillClark 

    This might help too:
    https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/demystifying-schannel/ba-p/259233

     

    To answer your question, no, registry keys for supported TLS versions do not need to be present in

     

     

    Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

     

     

     

    in order to be enabled. I have registry keys only for TLS 1 and 1.1 in that location because I disabled them, so I'm using TLS 1.2 and 1.3 for everything else, without having their keys present in there.

     

    When you clean install Windows, that registry location is empty, so it doesn't tell us anything about whether a TLS version is enabled or disabled. Also, I've used IIS crypto before and it has bugs or design problems.

     

    P.S It's recommended to disable any previous TLS/SSL versions prior to 1.2 because they have known vulnerabilities.

     

    I've listed all the insecure ciphers, TLS 1, TLS 1.1 and MD5 hashing algorithm registry locations in a CSV file on my Github repository to disable them easily: https://github.com/HotCakeX/Harden-Windows-Security/blob/main/Payload/Registry.csv

     

BillClark's avatar
BillClark
Copper Contributor
Feb 28, 2023
Yes, that is one of many articles I've seen with the registry keys, but the underlying issue continues to be, is TLS 1.2 enabled by default in Windows 2019 as Microsoft says it is, without those keys in place? Or is the presence of those keys THE defining factor if TLS 1.2 is enabled or not, regardless what Microsoft says should be turned on by default. I'd rather not add things to the registry if I don't have to.
HotCakeX's avatar
HotCakeX
MVP
Feb 28, 2023

Hi BillClark 

This might help too:
https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/demystifying-schannel/ba-p/259233

 

To answer your question, no, registry keys for supported TLS versions do not need to be present in

 

 

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

 

 

 

in order to be enabled. I have registry keys only for TLS 1 and 1.1 in that location because I disabled them, so I'm using TLS 1.2 and 1.3 for everything else, without having their keys present in there.

 

When you clean install Windows, that registry location is empty, so it doesn't tell us anything about whether a TLS version is enabled or disabled. Also, I've used IIS crypto before and it has bugs or design problems.

 

P.S It's recommended to disable any previous TLS/SSL versions prior to 1.2 because they have known vulnerabilities.

 

I've listed all the insecure ciphers, TLS 1, TLS 1.1 and MD5 hashing algorithm registry locations in a CSV file on my Github repository to disable them easily: https://github.com/HotCakeX/Harden-Windows-Security/blob/main/Payload/Registry.csv

 

Resources