Remove From My Forums

TLS 1.1 and 1.2 on W7?

Question
0

Sign in to vote

On Windows 7 pro, how do I

1) tell if TLS 1.1 and TLS 1.2 are installed?

2) if 1.1 and 1.2 are installed, how do I disable TLS 1.0?

3) how do I tell Remote Desktop not to use TLS 1.0?

Many thanks, -T

Thursday, February 2, 2017 3:16 AM

Reply

|

Quote

All replies

0

Sign in to vote

Hi,

to use TLS1.1 & 1.2 you can just have a look into IE Options > Advanced (last section). It is not recommended to disable TLS 1.0 because many other connections are using this level. Within GPO you can set the order of SSL Ciphers to tell your clients to use TLS1.1 or 1.2 as preferred for connections (also RPD). Only a connection with same supported cipher by client and server will be established.

Regards

Thursday, February 2, 2017 7:11 AM

Reply

|

Quote
0

Sign in to vote

Hello,

By default, only TLS 1.0 is supported in Windows 7, you must install the following update to add remote desktop service support for TLS 1.1 and TLS 1.2.

Update to add RDS support for TLS 1.1 and TLS 1.2 in Windows 7 or Windows Server 2008 R2

In addition, for the Remote Desktop Client, make sure Remote Desktop Protocol 8.0 update has been installed. You can get it from the following link

https://support.microsoft.com/en-us/help/2592687/remote-desktop-protocol-rdp-8.0-update-for-windows-7-and-windows-server-2008-r2

For how disable TLS 1.0, you can refer to the following article.

https://blogs.msdn.microsoft.com/friis/2016/07/25/disabling-tls-1-0-on-your-windows-2008-r2-server-just-because-you-still-have-one/

Finally, you can use Network Monitor to verify that the RDP is using TLS1.0, or not.

Best regards,
Andy Liu
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

Friday, February 3, 2017 5:34 AM

Reply

|

Quote

Moderator
0

Sign in to vote

Did your first two links. It still fails my sweet32 scan.

warnings: 64-bit block cipher 3DES vulnerable to SWEET32 attack

Saturday, February 4, 2017 6:17 AM

Reply

|

Quote
0

Sign in to vote
Hello,

Please run regedit.exe from command prompt to open Registry Editor. Uner the location at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\, create a DWORD value named Triple DES 168, and set the disable value data as 0.

After that, please restart the computer.

More information, please refer to the following article.

https://support.microsoft.com/en-us/help/245030/how-to-restrict-the-use-of-certain-cryptographic-algorithms-and-protocols-in-schannel.dll

Best regards,
Andy Liu

Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
- Edited by Andy Liu50Microsoft contingent staff, Moderator Monday, February 6, 2017 9:23 AM
Monday, February 6, 2017 9:21 AM

Reply

|

Quote

Moderator