none
How to disable TLS1.0?

    Pertanyaan

  • hi all,

    recently i performed a qualys scan on our server (windows 2012 r2) and one of the result that came back is SSL/TLS Server supports TLSv1.0 port 3389/tcp over SSL. 

    I  tried to amend below in registry but the vulnerability still show

    Can anyone advise why? 

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client

    DisabledByDefault dword: 0

    Enabled Dword:1

    HKEY_LOCAL_MACHI

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server

    DisabledByDefault dword: 0

    Enabled Dword:1

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client

    port 3389/tcp over SSL

    DisabledByDefault dword: 0

    Enabled Dword:1

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server

    port 3389/tcp over SSL

    DisabledByDefault dword: 0

    Enabled Dword:1

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client

    DisabledByDefault dword: 1

    Enabled Dword:0

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server

    DisabledByDefault dword: 1

    Enabled Dword:0

    10 Juli 2017 6:34

Semua Balasan

  • Hi,

    Registry values seem fine to me, please restart the server then run scan to check results.

    Best Regards,

    Amy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    11 Juli 2017 8:47
    Moderator
  • Hi,

    Are there any updates at the moment?

    Best Regards,
    Amy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    27 Juli 2017 7:29
    Moderator
  • Hi Amy,

    We are also having this same problem with our Qualys scanning compliance check.

    We have disabled TLS 1.0 using the same SCHANNEL regedit settings above (in our server image, so a reboot has definitely occurred), and yet we still get a vulnerability listed in the scan.

    Nmap also identifies an issue:

    Starting Nmap 7.70 ( https://nmap.org ) at 2018-05-18 17:49 AUS Eastern Standard Time

    Nmap scan report for XXXXX

    Host is up (0.0010s latency).



    PORT     STATE SERVICE

    3389/tcp open  ms-wbt-server

    | ssl-enum-ciphers: 

    |   TLSv1.0: 

    |     ciphers: 

    |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A

    |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A

    |       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A

    |       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A

    |     compressors: 

    |       NULL

    |     cipher preference: server

    |   TLSv1.1: 

    |     ciphers: 

    |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A

    |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A

    |       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A

    |       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A

    |     compressors: 

    |       NULL

    |     cipher preference: server

    |   TLSv1.2: 

    |     ciphers: 

    |       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A

    |       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A

    |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A

    |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A

    |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A

    |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A

    |       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A

    |       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A

    |       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A

    |       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A

    |       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A

    |       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A

    |     compressors: 

    |       NULL

    |     cipher preference: server

    |_  least strength: A



    Nmap done: 1 IP address (1 host up) scanned in 5.55 seconds

    Can you provide some suggestions on the best approach to resolve this compliance issue please?

    18 Mei 2018 8:34