Differences

This shows you the differences between two versions of the page.

--- configure_tls_1_2_default_secure_protocol_windows_server_2008_r2_sp1 [2021/09/30 14:48] – [Configuration Information for TLS 1.2.] wikiadmin
+++ configure_tls_1_2_default_secure_protocol_windows_server_2008_r2_sp1 [2021/09/30 15:28] (current) – [Configure the Registry to Turn on TLS 1.2] wikiadmin
@@ Line 9: / Line 9: @@
 ===== Update to enable TLS 1.1 and TLS 1.2 as default secure protocols in WinHTTP in Windows =====
-This update provides support for Transport Layer Security (TLS) 1.1 and TLS 1.2 in Windows Server 2012, Windows 7 Service Pack 1 (SP1), and Windows Server 2008 R2 SP1.
+The Windows update (Described in Knowledge base article KB3140245) provides support for Transport Layer Security (TLS) 1.1 and TLS 1.2 in Windows Server 2012, Windows 7 Service Pack 1 (SP1), and Windows Server 2008 R2 SP1.
-To obtain the stand-alone package for this update, go to the Microsoft Update Catalog website here: https://www.catalog.update.microsoft.com/search.aspx?q=kb3140245 and download and install the catalog update applicable to your server, such as "Update for Windows Server 2008 R2 x64 Edition (KB3140245).
+To obtain the stand-alone package for this update (KB3140245), go to the Microsoft Update Catalog website here: [[https://www.catalog.update.microsoft.com/search.aspx?q=kb3140245]] and download and install the catalog update applicable to your server, such as the **Update for Windows Server 2008 R2 x64 Edition (KB3140245)**.
-Prerequisites for your server:  To apply this update, you Windows Server 2008 R2 must have installed Service Pack 1 (SP1) for Windows 7 or Windows Server 2008 R2.
+__Prerequisites for your server__:  To apply this update, your Windows Server 2008 R2 must have installed **Service Pack 1 (SP1)** for Windows 7 or Windows Server 2008 R2.
 To understand why this update is or may be necessary, please review this Microsoft Support article:  https://support.microsoft.com/en-us/topic/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-winhttp-in-windows-c4bd73d2-31d7-761e-0178-11268bb10392
@@ Line 29: / Line 29: @@
 At the top of the Window's registry tree, select "Computer" right click on "Computer" and left click "Export" and then supply a name to the registry backup file, and save this exported copy of your registry in a folder (directory) where in the future you can locate and import this registry backup if you happen to make a huge mistake while editing the Windows registry.
-In the registry, browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
+===== Configure the Registry to Turn on TLS 1.2 =====
-Create a new Key named **TLS 1.2**.  How?  Right click on the Protocols key, and left click on 'New' and left click on 'Key' and input the name of the new key as being TLS 1.2 and press enter or click on any white space to set the name of the key.
+In the registry, browse to **HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols**
-In the same manner, create two new subkeys each under the key named 'TLS 1.2' and name these new subkeys as **Client** and **Server** respectively.
+Under the **Protocols** key, create a new Key that you will name as **TLS 1.2**.  How?  Right click on the **Protocols** key, and left click on **New** and left click on **Key** and input the name of the new key as being **TLS 1.2** and press enter or click on any white space to set the name of the new key.
-In the Registry, browse to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client and Create a new DWORD value named: **DisabledByDefault** and Set the value to: 0 (hexadecimal)
+In the same manner, create two new subkeys under the key that is named **TLS 1.2** and name these two new subkeys as **Client** and **Server** respectively.
-How?  Right click on the **Client** subkey, and left click on new, DWord 32bit and name the Dword as 'DisabledByDefault' and click select DisabledByDefault and select 'Modify' and set the value as '0' in hexadecimal.
+In the Registry, browse to: **HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client** and Create a new DWORD value named: **DisabledByDefault** and Set the value to: 0 (hexadecimal)
-Also, under the 'Client' subkey, create a new DWORD value named: 'Enabled' and set the value to
+How?  Right click on the **Client** subkey, and left click on new - DWord 32bit and name the Dword as **DisabledByDefault** and right click the new Dword that is named **DisabledByDefault** and select 'Modify' and set the value as **0** with the radio button for **hexadecimal** selected.
-'1' (hexadecimal).
-Now, in the Registry, browse to the new Server' subkey at: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server
+Also, under the **Client** subkey, create a new DWORD value named: **Enabled** and set the value to
+**1** (hexadecimal).
-In the same manner under the 'Server' subkey, create a new DWORD value named: 'DisabledByDefault' and set its value to: '0'
+Now, in the Registry, browse to the new subkey named **Server** located at: **HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server**
-In the same manner under the 'Server' subkey, create a new DWORD value named: 'Enabled' and set its value to '1'
+In the same manner under the **Server** subkey, create a new DWORD (32-bit) value named: **DisabledByDefault** and set its value in hexadecimal to: **0**
+In the same manner under the **Server** subkey, create a new DWORD (32-bit) value named: **Enabled** and set its value to **1**
+===== Enable TLS 1.2 by default for WinHTTP =====
+Add the **DefaultSecureProtocols** DWORD value to the: **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp** registry key and
+Add the **DefaultSecureProtocols** DWORD value to the: **HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp** registry key.
+How? From the Windows search bar, use regedit to open the Window Registry Editor.
+Browse to **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp**.
+Create a new DWORD value named:
+**DefaultSecureProtocols**
+and set the value of this new Dword (in hexadecimal) to:
+**800**
+On a 64-bit version of Windows, ALSO browse to **HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp** and repeat the previous step by
+Creating a new DWORD value named:
+**DefaultSecureProtocols**
+And set the value of this new Dword (in hexadecimal) to:
+**800**.
+===== Block RC4 in .NET TLS =====
+If you have .NET Framework 4.x installed on the server, you should:
+Add a **SchUseStrongCrypto** DWORD value to the **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319** registry key and also add it to the **HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319** registry key.
+From the Windows search bar, use regedit to open the Window Registry Editor.
+Browse to **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319**.
+Create a new DWORD value named:
+**SchUseStrongCrypto**
+Set the value to:
+**1**
+On a 64-bit version of Windows, browse to **HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319** and repeat this same procedure by--
+Creating a new DWORD value named:
+**SchUseStrongCrypto**
+and setting the value to:
+**1**
+==== Note: Restart the computer after modifying the registry ====