Windows Server 2019 – TLS / Cipher-settings

Windows Server 2019 – TLS / Cipher-settings

Posted by on 05. J 2019 in Blog

Versus Qualys SSL-test a normal Windows Server 2019 is capped at grade B since January 2020. The main reason for this is it’s enablement of TLS 1.0 and 1.1.

SSL 2.0 and 3.0 is disabled by default. But to disable the rather unsecure TLS-versions we’ll have to create the following registry entries:

Note – Client means, if the server is accessing another server with TLS then the server is a client. Server means, that if the server hosts a service which is open to TLS-communication, then… well.. it communicates with the enabled TLS-protocols, if requests.

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\

Create both:

\TLS 1.0
\TLS 1.1

And create both
\TLS 1.0\Client
\TLS 1.0\Server
\TLS1.1\Client
\TLS1.1\Server

Now under each of the nodes/keys, create the following REG_DWORD (32) entries:
DisabledByDefault = 1
Enabled = 0

And there you go. TLS 1.0 and TLS 1.1 is now disabled after the next restart.

 

So now you’re all set protocol-wise, but what about cipher-wise? Well, default there are apparently a lot of “weak” ciphers that you can disable – so pr. time-of-writing, this is the long string that you need to enter into SSL Cipher Suite Order in gpedit.msc -> Computer configuration -> Administrative Templates -> Network -> SSL Configuration Settings
Enable it, and paste this line:
TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_NULL_SHA256,TLS_RSA_WITH_NULL_SHA,TLS_PSK_WITH_AES_256_GCM_SHA384,TLS_PSK_WITH_AES_128_GCM_SHA256,TLS_PSK_WITH_AES_256_CBC_SHA384,TLS_PSK_WITH_AES_128_CBC_SHA256,TLS_PSK_WITH_NULL_SHA384,TLS_PSK_WITH_NULL_SHA256

Now you’re strong StRoNg STRONG in ciphersuites… at least at time of writing 😉 (2019-12-05 20:15)

Have fun!… and don’t forget to research securityheaders.com on your site, next 😉