IIS

Disabling TLS 1.0 (and All SSL Versions) and Enabling TLS 1.2 on Windows Server with Nartac IIS Crypto

Choudhury SBy Updated:9 Comments2 Mins Read

Before we directly jump to the configuration part, let me first explain what is SSL/TLS. SSL and TLS are cryptographic protocols that provide authentication and data encryption between different communication endpoints (e.g., a client connecting to a web server), with SSL the predecessor to TLS. Every few years we see that the new versions of SSL/TLS is released to address the security vulnerabilities (e.g., BEAST, POODLE, DROWN) and support the strongest and most secure cipher suites. The latest being TLS 1.3, which was just approved by the IETF (Internet Engineering Task Force).

As a industry best practice, you should disable the old protocols which are vulnerable to attacks and update your servers to support the latest protocols. As of June 30, 2018, all websites will need to be on TLS 1.1 or higher in order to comply with the PCI Data Security Standard (DSS) also known as PCI compliance.

How to Check if  SSL and TLS 1.0 Protocols is still enabled on your site

In order to check whether your server still supports the vulnerable protocols, you can use Qualys SSL Server Test. Type your domain name to test and once the test is completed, scroll down to the protocols section and you’ll see a list of all the protocols and their status. Below is an example of a client site I tested and I can say that the administrator has maintained the server very badly,  since it still supports SSL 2.0, SSL 3.0, and TLS 1.0 and doesn’t support TLS 1.2. I then logged into the server and ran a GUI tool and below is the status of the protocols (which means all protocols supported by the OS is enabled), which is really bad.

iis crypto default - Disabling TLS 1.0 (and All SSL Versions) and Enabling TLS 1.2 on Windows Server with Nartac IIS Crypto
bad ssl test 768x187 - Disabling TLS 1.0 (and All SSL Versions) and Enabling TLS 1.2 on Windows Server with Nartac IIS Crypto
Enable/Disable SSL/TLS Protocols

In order to disable the old protocols (TLS 1.0 and all SSL versions), I downloaded a GUI tool named NARTAC IIS CRYPTO which comes very handy for system administrators instead of editing the registry settings. Below is a screenshot of the software used to enable/disable the protocols. After enabling/disabling the protocols, you need to apply and restart the server in order for the changes to be applied system wide.

iis crypto edit - Disabling TLS 1.0 (and All SSL Versions) and Enabling TLS 1.2 on Windows Server with Nartac IIS Crypto

After the changes is applied and system/server restarted, I again checked the site on Qualys SSL Server Test and below is the server configuration with proper protocols enabled.

good ssl test 768x191 - Disabling TLS 1.0 (and All SSL Versions) and Enabling TLS 1.2 on Windows Server with Nartac IIS Crypto
Share.

Choudhury is the founder and chief editor of ZoomTutorials Blog, a leading tutorials and technology blogging site specializing in DevOps, SysAdmin and Cloud Technologies to help IT professionals in their day to day work. He is a Senior Cloud and DevOps Solutions Engineer at a leading eCommerce development Company and has more than 10+ years of Cloud, DevOps and SysAdmin experience working with Fortune 500 companies to solve their most important IT backbones. He lives in Hyderabad with his wife and a son.

Related Posts

0 0 votes
Article Rating
Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

9 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
wpdiscuz   wpDiscuz