Skip to main content
Jorge Bernhardt Jorge Bernhardt
  1. Posts/

How to disable weak versions of SSL/TLS Protocols on Windows Servers

·801 words·4 mins· 100 views · 5 likes ·
Microsoft Microsoft Windows New-Item New-ItemProperty

Hi, in this post, I want to show you how to disable the weak versions of the Transport Layer Security (TLS) and Secure Socket Layer (SSL) protocols using Windows PowerShell. Surely, before disabling weak versions of SSL / TSL protocols, you will want to make sure that you can use the TLS 1.2 protocol on your system.

In the following table, you can see the protocols that are compatible with the Windows operating system.

WindowsVersion TLS/SSL
If your system is compatible with version TLS 1.2, verify that you have the following updates installed before making the change to your production web servers.

Enable TLS 1.2>

Enable TLS 1.2 #

To enable the TLS v1.2, open a Windows PowerShell command prompt as administrator and run the following commands:

New-Item `
    -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' `
    -Force `
    | Out-Null

New-ItemProperty `
    -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' `
    -name 'Enabled' `
    -value '1' `
    -PropertyType 'DWord' `
    -Force `
    | Out-Null

New-ItemProperty `
    -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' `
    -name 'DisabledByDefault' `
    -value 0 `
    -PropertyType 'DWord' `
    -Force `
    | Out-Null

New-Item `
    -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' `
    -Force `
    | Out-Null

New-ItemProperty `
    -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' `
    -name 'Enabled' `
    -value '1' `
    -PropertyType 'DWord' `
    -Force `
    | Out-Null

New-ItemProperty `
    -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' `
    -name 'DisabledByDefault' `
    -value 0 `
    -PropertyType 'DWord' `
    -Force `
    | Out-Null

Write-Host 'TLS 1.2 has been enabled.'

Enable TLS 1.2
Once the TLS 1.2 protocol is enabled on your system, we can proceed to disable the weak versions of the SSL / TSL protocols.

Disabling SSL 2.0 and SSL 3.0>

Disabling SSL 2.0 and SSL 3.0 #

To disable the SSL v2.0, open a Windows PowerShell command prompt as administrator and run the following commands:

New-Item `
    -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' `
    -Force `
    | Out-Null

New-ItemProperty `
    -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' `
    -name 'Enabled' `
    -value '0' `
    -PropertyType 'DWord' `
    -Force `
    | Out-Null

New-ItemProperty `
    -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' `
    -name 'DisabledByDefault' `
    -value 1 `
    -PropertyType 'DWord' `
    -Force `
    | Out-Null

New-Item `
    -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' `
    -Force `
    | Out-Null

New-ItemProperty `
    -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' `
    -name 'Enabled' `
    -value '0' `
    -PropertyType 'DWord' `
    -Force `
    | Out-Null

New-ItemProperty `
    -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' `
    -name 'DisabledByDefault' `
    -value 1 `
    -PropertyType 'DWord' `
    -Force `
    | Out-Null

Write-Host 'SSL 2.0 has been disabled.'

disable SSL/TLS

In the PowerShell console, run the following commands as an administrator to disable SSL v3.0:

New-Item `
    -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' `
    -Force `
    | Out-Null

New-ItemProperty `
    -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' `
    -name 'Enabled' `
    -value '0' `
    -PropertyType 'DWord' `
    -Force `
    | Out-Null

New-ItemProperty `
    -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' `
    -name 'DisabledByDefault' `
    -value 1 `
    -PropertyType 'DWord' `
    -Force `
    | Out-Null

New-Item `
    -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' `
    -Force `
    | Out-Null

New-ItemProperty `
    -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' `
    -name 'Enabled' `
    -value '0' `
    -PropertyType 'DWord' `
    -Force `
    | Out-Null

New-ItemProperty `
    -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' `
    -name 'DisabledByDefault' `
    -value 1 `
    -PropertyType 'DWord' `
    -Force `
    | Out-Null

Write-Host 'SSL 3.0 has been disabled.'
disable SSL 3.0
>

disable SSL 3.0
#

Disabling TLS 1.0 and 1.1>

Disabling TLS 1.0 and 1.1 #

To disable the TLS v1.0, open a Windows PowerShell command prompt as administrator and run the following commands:

New-Item `
    -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' `
    -Force `
    | Out-Null

New-ItemProperty `
    -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' `
    -name 'Enabled' `
    -value '0' `
    -PropertyType 'DWord' `
    -Force `
    | Out-Null

New-ItemProperty `
    -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' `
    -name 'DisabledByDefault' `
    -value 1 `
    -PropertyType 'DWord' `
    -Force `
    | Out-Null

New-Item `
    -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' `
    -Force `
    | Out-Null

New-ItemProperty `
    -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' `
    -name 'Enabled' `
    -value '0' `
    -PropertyType 'DWord' `
    -Force `
    | Out-Null

New-ItemProperty `
    -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' `
    -name 'DisabledByDefault' `
    -value 1 `
    -PropertyType 'DWord' `
    -Force `
    | Out-Null

Write-Host 'TLS 1.0 has been disabled.'

disable SSL/TLS

and run the following commands to disable version 1.1 of TLS:

New-Item `
    -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' `
    -Force `
    | Out-Null

New-ItemProperty `
    -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' `
    -name 'Enabled' `
    -value '0' `
    -PropertyType 'DWord' `
    -Force `
    | Out-Null

New-ItemProperty `
    -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' `
    -name 'DisabledByDefault' `
    -value 1 `
    -PropertyType 'DWord' `
    -Force `
    | Out-Null

New-Item `
    -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' `
    -Force `
    | Out-Null

New-ItemProperty `
    -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' `
    -name 'Enabled' `
    -value '0' `
    -PropertyType 'DWord' `
    -Force `
    | Out-Null

New-ItemProperty `
    -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' `
    -name 'DisabledByDefault' `
    -value 1 `
    -PropertyType 'DWord' `
    -Force `
    | Out-Null

Write-Host 'TLS 1.1 has been disabled.'

disable TLS 1.1
After executing the above steps, you must restart the Windows server to fully apply the changes.

If you want to know why you should disable the weak versions of SSL/TSL protocols, check out this link.