locked
How to Disable TLS 1.0 and 1.1 RRS feed

  • Question

  • Hi, we made a security test scan and we need to disable TLS 1.0.

    Where we migth disable TLS 1.0?

    We made that  by TLS 1.0 and 1.1 :

    https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings

    TLS 1.0

    This subkey controls the use of TLS 1.0.

    For TLS 1.0 default settings, see Protocols in the TLS/SSL (Schannel SSP).

    Registry path: HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

    To enable the TLS 1.0 protocol, create an Enabled entry in either the Client or Server subkey as described in the following table. This entry does not exist in the registry by default. After you have created the entry, change the DWORD value to 1.

    TLS 1.0 subkey table

    Table 4
    Subkey Description
    Client Controls the use of TLS 1.0 on the TLS client.
    Server Controls the use of TLS 1.0 on the TLS server.

    To disable TLS 1.0 for client or server, change the DWORD value to 0. If an SSPI app requests to use TLS 1.0, it will be denied.

    To disable TLS 1.0 by default, create a DisabledByDefault entry and change the DWORD value to 1. If an SSPI app explicitly requests to use TLS 1.0, it may be negotiated.

    But when we made the security test scan the error is the same  "TLS Server supports TLSv1.0 port 1433/tcp"

    Thanks

    Jose Mendez.

    Wednesday, August 5, 2020 9:06 PM

All replies

  • Hi Jose Mendez,

    Please restart your computer to make this changes effect.

    If it is not work, try below steps;

    1.Users can disable TLS 1.0 via the Internet Properties window. To open that window, press the Windows key + S keyboard shortcut, which opens the search utility.
    2.Input ‘internet options’ in the search text box.
    3.Then users can click Internet Options to open the window
    4.Click the Advanced tab.
    5.Deselect the Use TLS 1.0 and TLS 1.1 setting.
    6.Press the Apply button.
    7.Click the OK option to exit the window.
    8. Restart your computer


    Refer to this blog How to disable TLS 1.0 in Windows 10 to get more information.

    If they are not work, could you please share us the screenshot about your registry key of TLS 1.0 and TLS 1.1.

    If the response helped, do "Mark as  Answer" and upvote it.
    Best regards,
    Cathy


    ""SQL Server related"" forum will be migrated to a new home on Microsoft Q&A SQL Server!
    We invite you to post new questions in the "SQL Server related" forum’s new home on Microsoft Q&A SQL Server !
    For more information, please refer to the sticky post.


    Thursday, August 6, 2020 2:23 AM
  • Hi, Cathy I¡We restarted but didnt work. The scan vulnerabilty test is the same.

    Next we will show regedit :

    Windows Registry Editor Version 5.00
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
    "DisabledByDefault"=dword:00000001

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
    "DisabledByDefault"=dword:00000001
    "Enabled"=dword:00000000
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
    "DisabledByDefault"=dword:00000001
    "Enabled"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
    "DisabledByDefault"=dword:00000001
    "Enabled"=dword:00000000
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
    "DisabledByDefault"=dword:00000001
    "Enabled"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
    "DisabledByDefault"=dword:00000000
    "Enabled"=dword:00000001
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
    "DisabledByDefault"=dword:00000000
    "Enabled"=dword:00000001

    Thursday, August 6, 2020 4:29 PM