locked
Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still accessble through TLS1.0 and 1.1 RRS feed

  • Question

  • User-453386921 posted

    Hello All,

    Disabled TLS 1.0 and 1.1 at registry level in the web server but iis site hosted in web server is still accessing through TLS1.0 and 1.1

    We have checked through browser as well as through open ssl command in putty.

    Can you please help me where it is going wrong?

    Thanks

    Saturday, April 27, 2019 12:16 AM

All replies

  • User690216013 posted

    Can you please help me where it is going wrong?

    That indicates either you forgot to reboot the server after making the changes, or you simply changed the wrong keys.

    A tool like IISCrypto is preferred, as it visualizes the keys and minimizes the possibilities to make mistakes, https://www.nartac.com/Products/IISCrypto/ 

    Saturday, April 27, 2019 2:47 PM
  • User-453386921 posted

    Hi lextm,

    Thank you for the reply,

    I have restarted after changing the configuration at registry level as mentioned below.

    PFB the Power Shell script which I have used to disable TLS 1.0 and 1.1

    Please let me know where iam going wrong.

    New-Item -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols" -Name "TLS 1.0"
    New-Item -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.0" -Name Client
    New-Item -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.0" -Name Server
    New-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.0\Client" -Name DisabledByDefault -PropertyType DWord –Value 1
    New-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.0\Server" -Name Enabled -PropertyType DWord -Value 0

    New-Item -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols" -Name "TLS 1.1"
    New-Item -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.1" -Name Client
    New-Item -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.1" -Name Server
    New-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.1\Client" -Name DisabledByDefault -PropertyType DWord -Value 1
    New-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.1\Server" -Name Enabled -PropertyType DWord -Value 0

    Thanks

    Sunday, April 28, 2019 9:42 AM
  • User-848649084 posted

    Hi loginatiis,

    You could use the below script to disable and enable  SSL and TLS:

    [CmdletBinding()]
    Param(
    [Parameter(Mandatory=$True)]
    [ValidateSet("SSL30","TLS10","TLS11","TLS12")]
    [string]$Proto,
    [ValidateSet("Client","Server")]
    [string]$Target,
    [Parameter(Mandatory=$True)]
    [ValidateSet("Enable","Disable")]
    $Action)
    
    Function CheckKey{
    param(
    [string]$Proto
    )
    $RegKey = $null
    
    switch ($Proto){
       SSL30 {$RegKey = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0"}
       TLS10 {$RegKey = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0"}
       TLS11 {$RegKey = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1"}
       TLS12 {$RegKey = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2"}
       default{"Not supported protocol. Possible values: SSL30, TLS10, TLS11, TLS12"
                exit}
      }
    return $Regkey
    }
    
    $RegKey = CheckKey -Proto $Proto
    [string[]]$TargetKey = $null
    if(!($Target)){
      Write-Host "Setting up both Client and Server protocols"
      $TargetKey = $(Join-Path $RegKey "Client").ToString()
      $TargetKey += $(Join-Path $RegKey "Server").ToString()
      if(!(Test-path -Path $TargetKey[0])){
           New-Item $TargetKey[0] -Force
       }
      if(!(Test-path -Path $TargetKey[1])){
           New-Item $TargetKey[1] -Force
        }
      } 
    else{
      Write-Host "Setting up $Target protocols"
      $TargetKey = $(Join-Path $RegKey $Target).ToString()
      if(!(Test-path -Path $(Join-Path $RegKey $Target))){
           New-Item $TargetKey -Force   
        }
     }
    
    Function SetProto{
    param(
    
    [string[]]$TargetKey,
    [string]$Action
    )
    
    foreach($key in  $TargetKey){
       try{
           Get-ItemProperty -Path $key -Name "Enabled" -ErrorAction Stop | Out-Null
           if($Action -eq "Disable"){
              Write-Host "`t`Updating $key"                     
              Set-ItemProperty -Path $key -Name "Enabled" -Value 0 -Type "DWord"
             }
           else{
              Write-Host "`t`Updating $key"
              Set-ItemProperty -Path $key -Name "Enabled" -Value 1 -Type "DWord"
             }
          }Catch [System.Management.Automation.PSArgumentException]{
              if($Action -eq "Disable"){
                 Write-Host "`t`Creating $key"
                 New-ItemProperty -Path $key -Name "Enabled" -Value 0 -PropertyType "DWord"
                }
              else{
                 Write-Host "`t`Creating $key"
                 New-ItemProperty -Path $key -Name "Enabled" -Value 1 -PropertyType "DWord"
               }
           }
    
    try{
         Get-ItemProperty -Path $key -Name "DisabledByDefault" -ErrorAction Stop | Out-Null
         if($Action -eq "Disable"){
            Write-Host "`t`Updating $key"
            Set-ItemProperty -Path $key -Name "DisabledByDefault" -Value 1 -Type "DWord"
           }
         else{
            Write-Host "`t`Updating $key"
            Set-ItemProperty -Path $key -Name "DisabledByDefault" -Value 0 -Type "DWord"
            }
         }Catch [System.Management.Automation.PSArgumentException]{
            if($Action -eq "Disable"){
               Write-Host "`t`Creating $key"
               New-ItemProperty -Path $key -Name "DisabledByDefault" -Value 1 -PropertyType "DWord"
              }
            else{
               Write-Host "`t`Creating $key"
               New-ItemProperty -Path $key -Name "DisabledByDefault" -Value 0 -PropertyType "DWord"
              }
         }
      }
    }
    
    SetProto -TargetKey $TargetKey -Action $Action
    
    Write-Host "The operation completed successfully, reboot is required" -ForegroundColor Green

    Regards,

    Jalpa.

    Monday, April 29, 2019 5:14 AM
  • User-453386921 posted

    Hi Jalpa,

    Can you please let me know that the script which i gave you is incorrect?

    I can able to see the protocols disabled at registry path with the given script. 

    I am not able to re execute the script now as it was done few months ago by taking downtime.

    Can you please let me know your views?

    Thanks

    Monday, April 29, 2019 7:07 AM
  • User-848649084 posted

    Hi,

    Could you tell us which OS you are using?

    Monday, April 29, 2019 7:44 AM
  • User-453386921 posted

    Windows 2012

    Monday, April 29, 2019 9:58 AM
  • User-453386921 posted

    Hi ,

    Could you please reply me.

    Thanks

    Tuesday, April 30, 2019 6:29 AM
  • User-848649084 posted

    Hi,

    As you described I tried my PowerShell script to disable TLS 1.0 and 1.1 on windows 2012 with a static and dynamic site in IIS. it works well. after disabling you have to restart your machine.

    Test result:

    regards,

    Jalpa.

    Tuesday, April 30, 2019 8:31 AM
  • User-453386921 posted

    Hi Sir,

    For sure we have restarted the servers(checked and confirmed) after we disable the TLS 1.0 and 1.1 by executing the given PS script.

    We have two nodes in sharedfarm, we have disabled in both one after other by restarting.

    Why the site is still accessing through browser i am not understanding?

    Looking for your valuable inputs....Appreciate for your patience 

    Thanks

    Wednesday, May 1, 2019 6:59 AM
  • User-848649084 posted

    Hi loginatiis,

    Did you clear browser cache,  cookie, and history? and also test with network monitor that which protocol is used by your site.

    https://www.microsoft.com/en-ph/download/details.aspx?id=4865

    Wednesday, May 1, 2019 7:07 AM
  • User-453386921 posted

    Any other way to test Sir?

    Thanks

    Thursday, May 2, 2019 6:12 AM
  • User-848649084 posted

    Hi,

    You could try to create custom logging at the site level or server level.

    Add below code in Applicationhost.config file.

     <site name="abc" id="3" serverAutoStart="true">
                    <application path="/" applicationPool="abc">
                        <virtualDirectory path="/" physicalPath="C:\inetpub\wwwroot\sitea" />
                    </application>
                    <bindings>
                        <binding protocol="https" bindingInformation="*:443:www.abc.com" sslFlags="0" />
                    </bindings>
                    <traceFailedRequestsLogging enabled="true" />
                    <logFile logExtFileFlags="Date, Time, ClientIP, UserName, ServerIP, Method, UriStem, UriQuery, HttpStatus, Win32Status, TimeTaken, ServerPort, UserAgent, Referer, Host, HttpSubStatus" enabled="true">
                        <customFields>
                            <clear />
                            <add logFieldName="crypt-protocol" sourceName="CRYPT_PROTOCOL" sourceType="ServerVariable" />
                            <add logFieldName="crypt-cipher" sourceName="CRYPT_CIPHER_ALG_ID" sourceType="ServerVariable" />
                            <add logFieldName="crypt-hash" sourceName="CRYPT_HASH_ALG_ID" sourceType="ServerVariable" />
                            <add logFieldName="crypt-keyexchange" sourceName="CRYPT_KEYEXCHANGE_ALG_ID" sourceType="ServerVariable" />
                        </customFields>
                    </logFile>
                </site>

    You could also add custom log field manually using the logging feature.

    After adding a custom field, access site and check log file entry.

    Check crypt-protocol field value:

    10 - SSLV3

    40 - TLS1.0

    100 - TLS1.1

    400 - TLS4.2

    You could also refer below article for more detail:

    New IIS functionality to help identify weak TLS usage

    Friday, May 3, 2019 5:51 AM
  • User-453386921 posted

    Hi Sir,

    Our servers are windows 2012, Can we implement the above said way?

    Thanks

    Monday, May 6, 2019 9:11 AM
  • User-848649084 posted

    Yes you could implement that suggested way on server 2012 os.

    Monday, May 6, 2019 9:14 AM
  • User-453386921 posted

    Hi Sir,

    After adding custom logging as you have mentioned at the site level in Applicationhost.config file IIS is not starting.

    It is saying the dependent services are failing to start.

    I tried in one of our Sandbox server.

    Please share your thoughts.

    Thanks

    Thursday, May 9, 2019 6:58 AM
  • User-848649084 posted

    Could you share appplicationhost.config setting you changed?

    Thursday, May 9, 2019 7:03 AM
  • User-453386921 posted

    Hi Sir,

    I have just added the below lines in applicationhost.config file and tries to restart IIS, but it's not starting after i have stopped IIS.

    <traceFailedRequestsLogging enabled="true" />
    <logFile logExtFileFlags="Date, Time, ClientIP, UserName, ServerIP, Method, UriStem, UriQuery, HttpStatus, Win32Status, TimeTaken, ServerPort, UserAgent, Referer, Host, HttpSubStatus" enabled="true">
    <customFields>
    <clear />
    <add logFieldName="crypt-protocol" sourceName="CRYPT_PROTOCOL" sourceType="ServerVariable" />
    <add logFieldName="crypt-cipher" sourceName="CRYPT_CIPHER_ALG_ID" sourceType="ServerVariable" />
    <add logFieldName="crypt-hash" sourceName="CRYPT_HASH_ALG_ID" sourceType="ServerVariable" />
    <add logFieldName="crypt-keyexchange" sourceName="CRYPT_KEYEXCHANGE_ALG_ID" sourceType="ServerVariable" />
    </customFields>
    </logFile>

    Thanks

    Friday, May 10, 2019 10:35 AM
  • User-453386921 posted

    Hi Sir

    Monday, May 13, 2019 8:02 AM
  • User-848649084 posted

    Hi,

    Did you add above code under your site node in which you want to enable custom logging?

    Monday, May 13, 2019 8:10 AM
  • User-453386921 posted

    Yes Sir

    Monday, May 13, 2019 12:47 PM
  • User-848649084 posted

    Hi,

    Remove the code from applicationhost.config file and try to add field manually in the log setting.

    Tuesday, May 14, 2019 2:47 AM
  • User-453386921 posted

    Hi Sir,

    We are not able to see 'Custom Fields' section W3C Logging fields.

    Please suggest.

    Thanks,

    Wednesday, May 22, 2019 11:03 AM
  • User-2064283741 posted
    Custom logging is not in 2012 it was introduced in 2012r2
    Wednesday, May 22, 2019 3:26 PM
  • User-848649084 posted

    Hi ,

    Download network monitor tool and check the result.

    https://www.microsoft.com/en-ph/download/details.aspx?id=4865

    Thursday, May 23, 2019 9:25 AM