Disabling TLS 1.0 (and All SSL Versions) and Enabling TLS 1.2 on Windows Server with Nartac IIS Crypto
7 min read
Before we directly jump to the configuration part, let me first explain what is SSL/TLS. SSL and TLS are cryptographic protocols that provide authentication and data encryption between different communication endpoints (e.g., a client connecting to a web server), with SSL the predecessor to TLS. Every few years we see that the new versions of SSL/TLS is released to address the security vulnerabilities (e.g., BEAST, POODLE, DROWN) and support the strongest and most secure cipher suites. The latest being TLS 1.3, which was just approved by the IETF (Internet Engineering Task Force).
As a industry best practice, you should disable the old protocols which are vulnerable to attacks and update your servers to support the latest protocols. As of June 30, 2018, all websites will need to be on TLS 1.1 or higher in order to comply with the PCI Data Security Standard (DSS) also known as PCI compliance.
How to Check if SSL and TLS 1.0 Protocols is still enabled on your site
In order to check whether your server still supports the vulnerable protocols, you can use Qualys SSL Server Test. Type your domain name to test and once the test is completed, scroll down to the protocols section and you’ll see a list of all the protocols and their status. Below is an example of a client site I tested and I can say that the administrator has maintained the server very badly, since it still supports SSL 2.0, SSL 3.0, and TLS 1.0 and doesn’t support TLS 1.2. I then logged into the server and ran a GUI tool and below is the status of the protocols (which means all protocols supported by the OS is enabled), which is really bad.
Enable/Disable SSL/TLS Protocols
In order to disable the old protocols (TLS 1.0 and all SSL versions), I downloaded a GUI tool named NARTAC IIS CRYPTO which comes very handy for system administrators instead of editing the registry settings. Below is a screenshot of the software used to enable/disable the protocols. After enabling/disabling the protocols, you need to apply and restart the server in order for the changes to be applied system wide.
After the changes is applied and system/server restarted, I again checked the site on Qualys SSL Server Test and below is the server configuration with proper protocols enabled.
I am regular reader, how are you everybody?
This post posted at this website is genuinely good.
My developer is trying to convince me to move to
.net from PHP. I have always disliked the idea because of the expenses.
But he’s tryiong none the less. I’ve been using WordPress on several websites
for about a year and am nervous about switching to another
platform. I have heard fantastic things about blogengine.net.
Is there a way I can transfer all my wordpress posts into it?
Any kind of help would be really appreciated!
Thanks for another magnificent article. The place else
could anybody get that type of info in such an ideal method of writing?
I have a presentation subsequent week, and I am at the search
for such info.
I read this paragraph fully on the topic of the comparison of latest and preceding technologies, it’s awesome
article.
I’ve been browsing online more than 2 hours today,
yet I never found any interesting article like yours. It’s
pretty worth enough for me. In my opinion, if all site owners
and bloggers made good content as you did, the net will be a
lot more useful than ever before.
What’s up friends, nice post and nice arguments commented at this place, I am actually enjoying by these.
An impressive share! I have just forwarded this onto a co-worker who has been conducting a little homework on this.
And he in fact bought me breakfast because I found it for him…
lol. So let me reword this…. Thank YOU for the meal!!
But yeah, thanx for spending the time to discuss this matter
here on your web page.
whoah this blog is magnificent i like studying
your posts. Keep up the good work! You already know,
lots of individuals are hunting around for this info, you can help them greatly.
Long time supporter, and thought I’d drop a comment.
Your wordpress site is very sleek – hope you don’t
mind me asking what theme you’re using? (and don’t mind if I steal it?
:P)
I just launched my site –also built in wordpress like yours– but the theme slows (!) the
site down quite a bit.
In case you have a minute, you can find it by searching for “royal cbd” on Google (would
appreciate any feedback) – it’s still in the works.
Keep up the good work– and hope you all take care of yourself during the coronavirus scare!