configure_tls_1_2_default_secure_protocol_windows_server_2008_r2_sp1
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
configure_tls_1_2_default_secure_protocol_windows_server_2008_r2_sp1 [2021/09/30 12:30] – wikiadmin | configure_tls_1_2_default_secure_protocol_windows_server_2008_r2_sp1 [2021/09/30 15:28] (current) – [Configure the Registry to Turn on TLS 1.2] wikiadmin | ||
---|---|---|---|
Line 2: | Line 2: | ||
Let say you are running Exchange Server 2010 installed on Windows Server 2008 R2 SP1 x64(bit), and when you remotely open Outlook Web Access (OWA to the Exchange Server) in your Google Chrome web browser it alerts you that the installed SSL certificate is insecure. | Let say you are running Exchange Server 2010 installed on Windows Server 2008 R2 SP1 x64(bit), and when you remotely open Outlook Web Access (OWA to the Exchange Server) in your Google Chrome web browser it alerts you that the installed SSL certificate is insecure. | ||
+ | |||
+ | ===== Get an SSL Report of your Web Server' | ||
+ | |||
+ | As the Administrator, | ||
+ | |||
+ | ===== Update to enable TLS 1.1 and TLS 1.2 as default secure protocols in WinHTTP in Windows ===== | ||
+ | |||
+ | The Windows update (Described in Knowledge base article KB3140245) provides support for Transport Layer Security (TLS) 1.1 and TLS 1.2 in Windows Server 2012, Windows 7 Service Pack 1 (SP1), and Windows Server 2008 R2 SP1. | ||
+ | |||
+ | To obtain the stand-alone package for this update (KB3140245), | ||
+ | |||
+ | __Prerequisites for your server__: | ||
+ | |||
+ | To understand why this update is or may be necessary, please review this Microsoft Support article: | ||
+ | |||
+ | ===== Configuration Information for TLS 1.2. ===== | ||
+ | |||
+ | See: https:// | ||
+ | |||
+ | https:// | ||
+ | |||
+ | Before attempting to edit your Windows registry, **MAKE A BACKUP FILE OF YOUR REGISTRY**. | ||
+ | |||
+ | In order to open the Windows Registry in Windows Server 2008 R2 SP1, First click the Windows " | ||
+ | |||
+ | At the top of the Window' | ||
+ | |||
+ | ===== Configure the Registry to Turn on TLS 1.2 ===== | ||
+ | |||
+ | In the registry, browse to **HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols** | ||
+ | |||
+ | Under the **Protocols** key, create a new Key that you will name as **TLS 1.2**. | ||
+ | |||
+ | In the same manner, create two new subkeys under the key that is named **TLS 1.2** and name these two new subkeys as **Client** and **Server** respectively. | ||
+ | |||
+ | In the Registry, browse to: **HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client** and Create a new DWORD value named: **DisabledByDefault** and Set the value to: 0 (hexadecimal) | ||
+ | |||
+ | How? Right click on the **Client** subkey, and left click on new - DWord 32bit and name the Dword as **DisabledByDefault** and right click the new Dword that is named **DisabledByDefault** and select ' | ||
+ | |||
+ | Also, under the **Client** subkey, create a new DWORD value named: **Enabled** and set the value to | ||
+ | **1** (hexadecimal). | ||
+ | |||
+ | Now, in the Registry, browse to the new subkey named **Server** located at: **HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server** | ||
+ | |||
+ | In the same manner under the **Server** subkey, create a new DWORD (32-bit) value named: **DisabledByDefault** and set its value in hexadecimal to: **0** | ||
+ | |||
+ | In the same manner under the **Server** subkey, create a new DWORD (32-bit) value named: **Enabled** and set its value to **1** | ||
+ | |||
+ | ===== Enable TLS 1.2 by default for WinHTTP ===== | ||
+ | |||
+ | Add the **DefaultSecureProtocols** DWORD value to the: **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp** registry key and | ||
+ | |||
+ | Add the **DefaultSecureProtocols** DWORD value to the: **HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp** registry key. | ||
+ | |||
+ | How? From the Windows search bar, use regedit to open the Window Registry Editor. | ||
+ | Browse to **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp**. | ||
+ | Create a new DWORD value named: | ||
+ | **DefaultSecureProtocols** | ||
+ | |||
+ | and set the value of this new Dword (in hexadecimal) to: | ||
+ | **800** | ||
+ | |||
+ | On a 64-bit version of Windows, ALSO browse to **HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp** and repeat the previous step by | ||
+ | |||
+ | Creating a new DWORD value named: | ||
+ | **DefaultSecureProtocols** | ||
+ | |||
+ | And set the value of this new Dword (in hexadecimal) to: | ||
+ | **800**. | ||
+ | |||
+ | ===== Block RC4 in .NET TLS ===== | ||
+ | |||
+ | If you have .NET Framework 4.x installed on the server, you should: | ||
+ | |||
+ | Add a **SchUseStrongCrypto** DWORD value to the **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319** registry key and also add it to the **HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319** registry key. | ||
+ | |||
+ | From the Windows search bar, use regedit to open the Window Registry Editor. | ||
+ | Browse to **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319**. | ||
+ | Create a new DWORD value named: | ||
+ | **SchUseStrongCrypto** | ||
+ | |||
+ | Set the value to: | ||
+ | **1** | ||
+ | |||
+ | On a 64-bit version of Windows, browse to **HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319** and repeat this same procedure by-- | ||
+ | |||
+ | Creating a new DWORD value named: | ||
+ | **SchUseStrongCrypto** | ||
+ | |||
+ | and setting the value to: | ||
+ | **1** | ||
+ | |||
+ | ==== Note: Restart the computer after modifying the registry ==== | ||
configure_tls_1_2_default_secure_protocol_windows_server_2008_r2_sp1.1633005025.txt.gz · Last modified: 2021/09/30 12:30 by wikiadmin