Windows Security. TLS – Part 1 (Disable Deprecated TLS Protocols)

Why Disable Deprecated TLS Protocols?

Standard builds of Windows operating systems can have features enabled in them that ideally need turning off. One of these is the requirement to remove deprecated versions of SSL / TLS from Windows.

This is mainly done for Enhanced Security:

• Reduces vulnerability to exploits. Older TLS versions have know security vulnerabilities that can be exploited and are regarded as being deprecated and weak in terms of security. Removing these older versions removes the known vulnerabilities.
• Stronger encryption. Newer versions of TLS provide better, more secure levels of encryption.

But it also provides Improved Compatibility:

• Regulatory compliance. Ensures that industry standards are met when it comes to meeting the correct level standards around data encryption.

And potentially offers Performance Enhancements:

• More modern versions of TLS are often optimised for performance.

‍

Supported SSL and TLS versions by Operating System

‍

How to disable TLS

It is possible to enable / disable protocols via the Windows Registry or Powershell commands. Although we tend to use IISCRYPTO by Nartac Software – https://www.nartac.com/Products/IISCrypto/Download

There is no installation for the application, just copy it to the server and run it.

‍

The application lets you choose which TLS Protocols to disable and is a bit easier than editing registry entries.

In either case a reboot is required for the changes to take affect. The Reboot checkbox in IISCRYPTO restarts the computer as soon as you click on the Apply button. So if there is anything running on the server such as SQL Server, then gracefully stop those services first.

‍

Considerations

Consideration should be given to testing any applications that may be running on the server and will they still work after the older versions of TLS have been removed.

An example of this was with a product called Unit4 ERP (Business World / Agresso). Part of the functionality of this was that it used a web service to retrieve and save documents from a shared folder on the server to the front end application.

As soon as TLS 1.0 and 1.1 were removed and the server was rebooted, this process would not work and gave no meaningful error messages as to why. It became apparent that the application itself was invoking the connection to the web service and explicitly using TLS 1.0 as the protocol.

This is just one example but test before rolling out on Production systems. Or at least be ready to roll the changes back if issues arise.

The fix to to the above issue was to add the following registry key which after a reboot forced the connection to the web service to use TLS 1.2 – SchUseStrongCrypto

‍

‍