none
Is the TLS 1.0 being disabled or not? RRS feed

  • Question

  • I tried to disable TLS 1.0 in the Microsoft server 2012 R2 using the method recommended by Microsoft.(link: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs)

    However, when I scan the servers, some of the ports are still using TLS 1.0.

    Does anyone know whether the TLS 1.0 is disabled or not?

    Thursday, August 2, 2018 7:31 AM

All replies

  • Hi,

    Thanks for your question.

    Based on my experience, after setting the registry to disable TLS1.0 , we’ll also need to configure the corresponding application such as IE, google chrome browser, or outlook es.. to do not apply TLS 1.0, due to TLS resides on the Application Layer of the OSI model. And we can refer to the following figure and blog.

    https://blogs.msdn.microsoft.com/kaushal/2011/10/02/support-for-ssltls-protocols-on-windows/


    Besides, may I know that did you monitor and examine TLS1.0 on the server by using network packets capture with the tool like wireshark or netmon ?

    Hope this helps. If you have any question or concern, please feel free to let me know.

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    • Proposed as answer by Narcoticoo Tuesday, August 21, 2018 8:09 PM
    Friday, August 3, 2018 6:24 AM
  • Hi,

    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

    Best Regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, August 7, 2018 1:55 AM
  • Hi,

    How are thing going on?

    Please feel free to let us know if you need further assistance.

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, August 9, 2018 2:17 PM
  • We are testing on it, will keep you posted. Thanks.
    Monday, August 13, 2018 3:54 AM

  • I have changed the setting as you said. But when I scan the server using Tenable Nessus, TLS 1.0 is used.

    As my account is not verified yet, I cannot upload the screen capture. Sorry for that.

    Tuesday, August 14, 2018 3:49 AM
  • Wednesday, August 15, 2018 2:23 AM
  • Wednesday, August 15, 2018 2:36 AM
  • I suspect you are getting a false positive from Nessus. This is due to you still having TLS 1.1 enabled, which shares some ciphers with TLS 1.0

    Example, https://community.tenable.com/s/question/0D5f200005H2n39CAB/pci-asv-scan-possible-false-positive-for-tls-10

    There is a comment on this page about having to disable TLS 1.1 as well for the test to pass. Suggestions are made about a plugin update, so check you have the latest plugin too.

    I recommend using IIS Crypto to disable TLS 1.1 and TLS 1.0 and retest.


    • Edited by Mista G Wednesday, August 22, 2018 4:36 AM
    Wednesday, August 22, 2018 4:35 AM
  • That only applies to client applications running on the actual server. Submitter is using an external scanner.
    Wednesday, August 22, 2018 4:40 AM
  • Thanks for your suggestion. 

    I use IIS Crypto to disable TLS 1.0 and TLS 1.1, and the results are as followed. 

    For port 443, it still supports TLS 1.0/TLS 1.1/TLS 1.2. But for port 3389, it supports TLS 1.2 which similar to the case when disable TLS 1.0, ie port 3389 supports TLS 1.1 and 1.2

    Is the method only affect Port 3389?

    Thursday, August 23, 2018 9:37 AM