Disabling TLS 1.0 Windows 2008 R2
For PCI Compliance, TLS 1.0 needs to be disabled. I was able to get this working on Windows 2012 with no problem by editing the registry as follows:
Add DWORD DisabledByDefault and set to 1 for
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server
Then I rebooted the server. TLS is showing as disabled when running an nmap scan. However doing the same for Windows 2008 R2 doesn't work even though https://support.microsoft.com/en-us/kb/187498 states that it should. When I make the changes to Windows 2008 R2, the SSL site does not show in a browser at all (tried multiple browsers to rule out browser issues).
When hitting the SSL site in Chrome, I get ERR_CONNECTION_RESET but I can telnet to port 443 which would rule out IIS and networking issues. It seems the specific Server key is the one causing issues. When I remove that, the site works in a browser but then nmap shows that TLSv1.0 is enabled which goes back to square one.
Any ideas on getting TLS 1.0 disabled on Windows 2008 R2? I'm out of ideas and have tried a few combinations to no avail.
Thanks for any help!
Answer
I was getting the same thing in Windows Server 2008 R2 until I manually added and enabled the TLS 1.1 and TLS 1.2 keys and subkeys and restarted.
Make sure that both the Client and Server subkeys have these DWORD values.
DisabledByDefault = 00000000
Enabled = ffffffff
Check out this Windows support article on the subject https://support.microsoft.com/en-us/kb/245030. (Scroll down to the "For later versions of Windows" section toward the bottom.)