Disabling TLS 1.0 (and All SSL Versions) and Enabling TLS 1.2 on Windows Server with Nartac IIS Crypto

Disabling TLS 1.0 (and All SSL Versions) and Enabling TLS 1.2 on Windows Server with Nartac IIS Crypto

Before we directly jump to the configuration part, let me first explain what is SSL/TLS. SSL and TLS are cryptographic protocols that provide authentication and data encryption between different communication endpoints (e.g., a client connecting to a web server), with SSL the predecessor to TLS. Every few years we see that the new versions of SSL/TLS is released to address the security vulnerabilities (e.g., BEAST, POODLE, DROWN) and support the strongest and most secure cipher suites. The latest being TLS 1.3, which was just approved by the IETF (Internet Engineering Task Force).

As a industry best practice, you should disable the old protocols which are vulnerable to attacks and update your servers to support the latest protocols. As of June 30, 2018, all websites will need to be on TLS 1.1 or higher in order to comply with the PCI Data Security Standard (DSS) also known as PCI compliance.

How to Check if  SSL and TLS 1.0 Protocols is still enabled on your site

In order to check whether your server still supports the vulnerable protocols, you can use Qualys SSL Server Test. Type your domain name to test and once the test is completed, scroll down to the protocols section and you’ll see a list of all the protocols and their status. Below is an example of a client site I tested and I can say that the administrator has maintained the server very badly,  since it still supports SSL 2.0, SSL 3.0, and TLS 1.0 and doesn’t support TLS 1.2. I then logged into the server and ran a GUI tool and below is the status of the protocols (which means all protocols supported by the OS is enabled), which is really bad.

Enable/Disable SSL/TLS Protocols

In order to disable the old protocols (TLS 1.0 and all SSL versions), I downloaded a GUI tool named NARTAC IIS CRYPTO which comes very handy for system administrators instead of editing the registry settings. Below is a screenshot of the software used to enable/disable the protocols. After enabling/disabling the protocols, you need to apply and restart the server in order for the changes to be applied system wide.

After the changes is applied and system/server restarted, I again checked the site on Qualys SSL Server Test and below is the server configuration with proper protocols enabled.

Safi Ahmed Choudhury

Safi Ahmed Choudhury

Safi is the founder and chief editor of ZoomTutorials Blog, a leading tutorials and technology blogging site specializing in DevOps, SysAdmin and Cloud Technologies to help IT professionals in their day to day work. He is a Senior Cloud and DevOps Solutions Engineer at a leading eCommerce development Company and has more than 8 years of SysAdmin experience working with Fortune 500 companies to solve their most important IT backbones. Safi lives in Hyderabad with his wife and a son.

9 thoughts on “Disabling TLS 1.0 (and All SSL Versions) and Enabling TLS 1.2 on Windows Server with Nartac IIS Crypto

  1. My developer is trying to convince me to move to
    .net from PHP. I have always disliked the idea because of the expenses.
    But he’s tryiong none the less. I’ve been using WordPress on several websites
    for about a year and am nervous about switching to another
    platform. I have heard fantastic things about blogengine.net.
    Is there a way I can transfer all my wordpress posts into it?

    Any kind of help would be really appreciated!

  2. Thanks for another magnificent article. The place else
    could anybody get that type of info in such an ideal method of writing?
    I have a presentation subsequent week, and I am at the search
    for such info.

  3. I’ve been browsing online more than 2 hours today,
    yet I never found any interesting article like yours. It’s
    pretty worth enough for me. In my opinion, if all site owners
    and bloggers made good content as you did, the net will be a
    lot more useful than ever before.

  4. An impressive share! I have just forwarded this onto a co-worker who has been conducting a little homework on this.
    And he in fact bought me breakfast because I found it for him…

    lol. So let me reword this…. Thank YOU for the meal!!
    But yeah, thanx for spending the time to discuss this matter
    here on your web page.

  5. whoah this blog is magnificent i like studying
    your posts. Keep up the good work! You already know,
    lots of individuals are hunting around for this info, you can help them greatly.

  6. Long time supporter, and thought I’d drop a comment.

    Your wordpress site is very sleek – hope you don’t
    mind me asking what theme you’re using? (and don’t mind if I steal it?

    I just launched my site –also built in wordpress like yours– but the theme slows (!) the
    site down quite a bit.

    In case you have a minute, you can find it by searching for “royal cbd” on Google (would
    appreciate any feedback) – it’s still in the works.

    Keep up the good work– and hope you all take care of yourself during the coronavirus scare!

Leave a Reply

Your email address will not be published. Required fields are marked *