Preparing your Workstation for TLS 1.2

This guide will give you some general advice on how to prepare your workstation for TLS 1.2.  TLS or Transport Layer Security is the encryption that is used to protect your internet traffic whilst it is going over the internet.  There have been several iterations of the protocol, starting with SSL 1, 2 and 3 which lead to the creation of TLS 1.0, 1.1 and 1.2.  As technology evolves, the older encryption protocols have proven to be insecure and vulnerable to being de-crypted.

In January 2020, Microsoft will formally end support for all old versions of the protocols, this includes TLS 1.0 and TLS 1.1.  However many organisations already no longer support these protocols, but your workstation will still try to use them.  This may result in websites and web services not being available.

Windows 7, 8 and 10 as well as Windows Server 2008, 2012, 2016 and 2019 have been updated to support the current protocol which is TLS 1.2.  In order to get these updates, please ensure that you install all current Windows Updates onto your computer.

Unfortunately installing the latest Windows Updates will not switch off the older SSL and TLS protocols and your computer and applications will still attempt to use them for compatibility reasons.  Ideally applications will have been written to use the newer protocols, but since these applications rely on Windows itself, it is possible for Windows to be configured to use the newer protocols.

Dot Net Applications

Applications that have been written using the .net application framework can be configured to use Strong Encryption (i.e. TLS 1.1 and higher).  This is done by adding registry keys to computers that need to use TLS 1.1 or higher.

Download our registry fragment (dotnetstrongcrypto) and change the file extention to a .reg, then double click to import the registry.  Alternatively, save the text below to a file on your computer with a .reg extension and then double click to import.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727] "SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] "SystemDefaultTlsVersions"=dword:00000001
"SchUseStrongCrypto"=dword:00000001

Switching off older protocols

It is also possible to switch off the older protocols, this method will prevent applications from using the older protocols.  However applications may implement their own versions of the protocols rather than use those provided by Windows.

As with the .net you can download a Text file (windowsencryption) and rename it to a .Reg file and then import into the Windows Registry, or use copy the fragment below to your own version, save as a .reg file and then import into Windows.  You will need to reboot your workstation/server after importing this registry key.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

 

 

 

 

Posted in SIMS.net.