Force TLS1.2 on Windows 7 and Server 2008

This section contains user-submitted tutorials.
Post Reply
User avatar
mattg
Moderator
Moderator
Posts: 19979
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Force TLS1.2 on Windows 7 and Server 2008

Post by mattg » 2018-10-16 02:47

As originally linked here >> http://www.hmailserver.com/forum/viewto ... ry#p182717

This is the single easiest way to ensure that only TLS v1.2 is used by Outlook when connection to your hMailserver (or to Office365 servers)

http://www.rainingforks.com/blog/2015/h ... sv1-2.html

I've not seen this elsewhere and the official whitepaper from Microsoft is just a jumble about informing your business clients that you intend to change to TLS v1.2 (which is not needed in my view).

A really, really easy Registry Edit, if there is such a thing

On the client machine with Outlook on it, check this registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols

Under the Protocols key, add new keys, if not already there: called "SSL 3.0", "TLS 1.0", “TLS 1.1” and “TLS 1.2“
Inside each of these keys, add another key called “Client“.
(See the existing key "SSL 2.0" for an example)

Now create a DWORD value in each Client key called “DisabledByDefault”
For each of "SSL 3.0", "TLS 1.0" and “TLS 1.1” set this to value to 00000001 (or just 1)

For the "TLS 1.2\Client" key leave as the default value of 00000000 (or just 0).
Restart the machine

hMailserver by default accepts connections via TLS v1.2, so no changes should be required in Hmailserver
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
mattg
Moderator
Moderator
Posts: 19979
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Force TLS1.2 on Windows 7 and Server 2008

Post by mattg » 2018-10-27 00:10

From an elevated command prompt (if these are NOT currently in place, ie default)

Code: Select all

reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client" /v DisabledByDefault /t REG_DWORD /d 1
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" /v DisabledByDefault /t REG_DWORD /d 1
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" /v DisabledByDefault /t REG_DWORD /d 1
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" /v DisabledByDefault /t REG_DWORD /d 0
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
mattg
Moderator
Moderator
Posts: 19979
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Force TLS1.2 on Windows 7 and Server 2008

Post by mattg » 2018-10-27 04:48

I've found that

- Machines that were Windows 7 and were upgraded to Windows 10 need this
- simply enabling TLS v1.2 isn't enough. You actively need to disable all of the other protocols
- This matters for email sent from scripts
- this matters for multiple mail clients, including Outlook and Thunderbird
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

mikedibella
Normal user
Normal user
Posts: 171
Joined: 2016-12-08 02:21

Re: Force TLS1.2 on Windows 7 and Server 2008

Post by mikedibella » 2018-10-28 17:10


User avatar
Dravion
Senior user
Senior user
Posts: 1410
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: Force TLS1.2 on Windows 7 and Server 2008

Post by Dravion » 2018-11-17 14:53

mikedibella wrote:
2018-10-28 17:10
This is the tool I use: https://www.nartac.com/Products/IISCrypto
This little Utility works verry well, thanks :)

I just applied it to my Windows 10 x64 1803 (fully updated) and MS-SQL-Server 2017 x64 (Cummulative Update 12) installed which
has "Encryption enforced" in the TCP/IP-Settings for SQL-Server on Port 1433

Nartac settings
TLS_1.2_secured.png
Hint: Triple DES 128 should be desabled because its vulnerable to SWEET32 attack

Nmap + TSQL proof TLS 1.2 only is installed and only previous allowed Protocols and Ciphers are in effect
TLS_1_2_nmap_tsql_cli.png
With theese settings in place, any non TLS 1.2 or non allowed Cipher connection attemp to this Windows 10 or SQL-Server version will
be logged into the Windows System log as Error. Only succeeded TLS 1.2 + allowed Cipjers will NOT logged.

Post Reply