Loading

Wednesday, February 8, 2017

Disable TLS on Server 2012 R2 in the Registry with PowerShell

It's common knowledge that TLS is preferred over SSL because it provides better security, and because an industry-wide push to stop using SSL, use HTTPS exclusively (instead of HTTP), and increase security overall has been underway for a while. But it's also important to use the latest version of TLS. Fortunately Windows Server 2012 R2 supports all three current versions of TLS, 1.0, 1.1 and 1.2. But, what if your server requires the disabling of lower versions, like 1.0 or even 1.1? Sure, there are various resources on the Internet from .reg files to both paid and free utilities, but since I often work in environments restricting the use of such methods, and since I like to use the simplest native method possible I have a set of commands I run in PowerShell to both disable TLS 1.0 and 1.1, and explicitly create keys and enable TLS 1.2 (which aren't already in the registry for some reason).

Note: although this was written specifically for Server 2012 R2 these commands work on Server 2008 R2 as well.

After installing the latest version of PowerShell on new servers one of the next things I do is run the set of commands below. First though, we'll take a look at the current security (SCHANNEL) protocols on a new 2012 R2 server with:

Get-ChildItem -Path HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols -Recurse
View SCHANNEL Registry settings in PowerShell on Server 2012 R2.
Here is the set of commands I run to disable TLS 1.0 and 1.1 and explicitly enable TLS 1.2 on Windows Server 2012 R2:

#2012 R2 - Disable TLS 1.0, 1.1, enable 1.2 
$TLSProto = "TLS 1.0" New-Item
"HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\PROTOCOLS" –Name "TLS 1.0" New-Item
"HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\PROTOCOLS\$TLSProto" –Name CLIENT New-Item
"HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\PROTOCOLS\$TLSProto" –Name SERVER New-ItemProperty
"HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\PROTOCOLS\$TLSProto\CLIENT" –Name Enabled –Value 0 –Type DWORD New-ItemProperty
"HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\PROTOCOLS\$TLSProto\SERVER" –Name Enabled –Value 0 –Type DWORD 

$TLSProto = "TLS 1.1" New-Item
"HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\PROTOCOLS" –Name "$TLSProto" New-Item
"HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\PROTOCOLS\$TLSProto" –Name CLIENT New-Item
"HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\PROTOCOLS\$TLSProto" –Name SERVER New-ItemProperty
"HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\PROTOCOLS\$TLSProto\CLIENT" –Name Enabled –Value 0 –Type DWORD New-ItemProperty
"HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\PROTOCOLS\$TLSProto\CLIENT" –Name DisabledByDefault –Value 1 –Type DWORD New-ItemProperty
"HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\PROTOCOLS\$TLSProto\SERVER" –Name Enabled –Value 0 –Type DWORD New-ItemProperty
"HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\PROTOCOLS\$TLSProto\SERVER" –Name DisabledByDefault –Value 1 –Type DWORD 

$TLSProto = "TLS 1.2" New-Item
"HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\PROTOCOLS" –Name "$TLSProto" New-Item
"HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\PROTOCOLS\$TLSProto" –Name CLIENT New-Item
"HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\PROTOCOLS\$TLSProto" –Name SERVER New-ItemProperty
"HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\PROTOCOLS\$TLSProto\CLIENT" –Name Enabled –Value 1 –Type DWORD New-ItemProperty
"HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\PROTOCOLS\$TLSProto\CLIENT" –Name DisabledByDefault –Value 0 –Type DWORD New-ItemProperty
"HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\PROTOCOLS\$TLSProto\SERVER" –Name Enabled –Value 1 –Type DWORD New-ItemProperty
"HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\PROTOCOLS\$TLSProto\SERVER" –Name DisabledByDefault –Value 0 –Type DWORD

Then run this again to verify the settings:

Get-ChildItem -Path HKLM:\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols -Recurse

And, don't forget to reboot for the changes to take effect.