Windows Server vNext - TLS improvements, make TLS 1.2 the minimum standard for different areas.

Frequent Contributor

Hi Server Team,

it is great to see that Server vNext has enabled only TLS 1.2 and TLS 1.3 left experimental state in Internet Options (Windows System / IE)

 

However the remark from @Aria Carley 
Changes to improve security for Windows devices scanning WSUS - Microsoft Tech Community
does not yet match completely / consistently in Server vNext (not even speaking about productive release as 1607 and later)

I would like to plea for following changes:

1. Server vNext should enable TLS 1.2 for PowerShell 5.1. Currently it is not enabled by default an so blocking access to repositories as github, PSget, nuGet etc

2. Upgrading WSUS to Server 2022 should enable TLS for WSUS by default (I know there are no GUI or wizard changes)

3. Server vNext should enable TLS 1.2 for SQL and .net by default 

4. Server vNext should use TLS 1.2 for SChannel. Every supported OS (including domain controllers) support this. 

You should consider to disable TLS 1.0 / 1.1 for each of these
@Mary Hoffman 

Currently I am deploying actively these changes in mixed custmer enviroments using script / GPOs ranging from Server 2008-2019, SQL 2012-2019, Exchange 2013-2019, and do not face issues that cannot mitigated. 

However I would expect the standards to be higher with Server 2022 in compliance with what Aria stated. 

Thanks for your feedback


2 Replies
Dear Server Team,
testing on build 20317 it still seems the OS is not configured securely except from Internet Explorer Options.

This includes the default config to enable and enforce TLS 1.2:

- SChannel Client and Server (including dependencies to IIS)
- PowerShell 5.1
- .net 3.5
- .net 4.x
- WinHTTP

Imho securing IE options is not enough. Are there any plans to improve the situation for Windows 10 21H2 and Server 2022 LTSC / Windows 10 2022 LTSC?
If needed I could provide you 2 sets of configurations that are considered secure and compatible with Windows 10 clients / server and another one still allowing Win7 / 2008R2 (only a difference of one ciphersuite.