Windows Server 2019 – TLS / Cipher-settings
Versus Qualys SSL-test a normal Windows Server 2019 is capped at grade B since January 2020. The main reason for this is it’s enablement of TLS 1.0 and 1.1.
SSL 2.0 and 3.0 is disabled by default. But to disable the rather unsecure TLS-versions we’ll have to create the following registry entries:
Note – Client means, if the server is accessing another server with TLS then the server is a client. Server means, that if the server hosts a service which is open to TLS-communication, then… well.. it communicates with the enabled TLS-protocols, if requests.
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\
Create both:
\TLS 1.0
\TLS 1.1
And create both
\TLS 1.0\Client
\TLS 1.0\Server
\TLS1.1\Client
\TLS1.1\Server
Now under each of the nodes/keys, create the following REG_DWORD (32) entries:
DisabledByDefault = 1
Enabled = 0
And there you go. TLS 1.0 and TLS 1.1 is now disabled after the next restart.
So now you’re all set protocol-wise, but what about cipher-wise? Well, default there are apparently a lot of “weak” ciphers that you can disable – so pr. time-of-writing, this is the long string that you need to enter into SSL Cipher Suite Order in gpedit.msc -> Computer configuration -> Administrative Templates -> Network -> SSL Configuration Settings
Enable it, and paste this line:
TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_NULL_SHA256,TLS_RSA_WITH_NULL_SHA,TLS_PSK_WITH_AES_256_GCM_SHA384,TLS_PSK_WITH_AES_128_GCM_SHA256,TLS_PSK_WITH_AES_256_CBC_SHA384,TLS_PSK_WITH_AES_128_CBC_SHA256,TLS_PSK_WITH_NULL_SHA384,TLS_PSK_WITH_NULL_SHA256
Now you’re strong StRoNg STRONG in ciphersuites… at least at time of writing 😉 (2019-12-05 20:15)
Have fun!… and don’t forget to research securityheaders.com on your site, next 😉