ANS Documentation

Improve This Doc
  • Cloud
  • Domains and DNS management
  • Backup and High Availability
  • eCommerce Stacks
  • Security
  • Email
  • Monitoring and usage management
  • Networking
  • Operating systems
    • Linux
    • VMware ESXi
    • Windows
      • Active Directory
      • Common Issues
      • Exchange
      • FTP
      • IIS
      • MSSQL
      • Networking
      • TLS 1.2 in PowerShell
      • RDP
      • Windows Server 2016
      • SSL/TLS and Schannel
      • Windows Administration
  • Webcelerator
  • MyUKFast
  • Home >
  • Operating systems >
  • Windows >
  • SSL/TLS and Schannel >
  • Enabling and Disabling SSL/TLS Protocols in Windows

Enabling and Disabling SSL/TLS Protocols in Windows¶

This section will detail how to add and remove TLS protocols and cipher suites, and provide links to further documentation.

Before making any changes, please check the Microsoft documentation on supported protocols for your operating system.

The protocols that can be supported will entirely depend on your operating system version. Please also check:

  • Security Recommendations for Internet facing Web Servers

  • Windows Server Software TLS Support

  • .NET Framework TLS considerations

Microsoft list all the supported cipher suites for each operating system version. The external link is provided below:

Cipher Suites in Schannel by OS

Warning

Editing protocol and cipher compatibility requires making changes to the registry. Always make a backup by exporting the registry keys before making any changes. Incorrect changes to the registry can cause operating system instability.

Automated with IIS Crypto¶

IIS Crypto (external link) is a popular 3rd-party tool by Nartac Software, which simplifies the process of managing SSL/TLS protocols and ciphers, without having to manually edit the registry.

The use of IIS Crypto will not be discussed further here, but if you want to learn more, then you can following the link above to find out how it works.

Manual¶

Manually enabling and disabling TLS protocols will require modifying the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

You may see sub-keys under this entry, one for each protocol version. Please note that the absence of any protocol key does not mean that it is disabled. Enabled protocols are implicitly defined by operating system version, unless explicitly defined in the registry.

Please refer to the official Microsoft Documentation for further information on the TLS registry settings.

Cipher Suite Ordering¶

In most cases you will not have to edit the order of cipher suites on a Windows server. Microsoft generally does a good job of ensuring the most secure ciphers are prioritised over the weaker ones. Occasionally, Windows updates can add additional support for ciphers, or reorder them, so we recommend frequent update schedules.

Cipher suite order can be defined by group policy on supported operating systems.

Computer Configuration\Administrative Templates\Network\SSL Configuration Settings\SSL Cipher Suite Order

Setting the above policy setting in Windows Server 2012 R2 will modify the following registry key setting:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\0010002

Next Article > Windows Administration

  • Useful Links
  • SMB
  • Enterprise
  • Channel
  • Public Sector
  • ANS Data Centres
  • About ANS
  • Careers
  • Blog
  • Get in touch
  •  
  • Sales 0800 458 4545
  • Support 0800 230 0032
  • Get in touch

© ANS Group Limited | Terms and Conditions | Corporate Guidance | Sitemap
ANS Group Limited, registered in England and Wales, company registration number 03176761, registered office 1 Archway, Birley Fields, Manchester M15 5QJ