Growing trends in cyber attacks made system administrators implement more secured communication protocols to protect their assets and network from attacks. TLS plays a vital role in the implementation stack. TLS is a critical security protocol that is used to encrypt communications between clients and servers. TLS 1.2 and TLS 1.3 are the two latest versions of the Transport Layer Security (TLS) protocol and offer many advantages over their previous versions. TLS 1.2 is the most widely used version of the TLS protocol, but TLS 1.3 is gaining popularity. As a system administrator, you should enable TLS 1.2 and TLS 1.3 on your Windows Server to enhance the security of your infrastructure.
Before learning how to enable TLS 1.2 and TLS 1.3 on your Windows Server, let’s understand TLS 1.2 and TLS 1.3 and what these TLS protocols offer more than their predecessors.
Table of Contents
A Short Note About TLS 1.2 and TLS 1.3:
TLS is a cryptographic protocol that is used to secure communications over computer networks. TLS 1.2 and TLS 1.3 are the two latest versions of the Transport Layer Security (TLS) protocol. TLS 1.2 was finalized in 2008, and TLS 1.3 was finalized in 2018.
TLS 1.2 improves upon TLS 1.1 by adding support for Elliptic Curve Cryptography (ECC) and introducing new cryptographic suites that offer better security than the suites used in TLS 1.1. TLS 1.3 improves upon TLS 1.2 by simplifying the handshake process and making it more resistant to man-in-the-middle attacks. In addition, TLS 1.3 introduces new cryptographic suites that offer better security than the suites used in TLS 1.2.
TLS 1.2 and TLS 1.3 are both backward compatible with TLS 1.1 and earlier versions of the protocol. This means that a client that supports TLS 1.2 can communicate with a server that supports TLS 1.1 and vice versa. However, TLS 1.2 and TLS 1.3 are not compatible with each other. A client that supports TLS 1.2 cannot communicate with a server that supports TLS 1.3, and vice versa.
TLS 1.2 is the most widely used version of the TLS protocol, but TLS 1.3 is gaining in popularity. Many major web browsers, including Google Chrome, Mozilla Firefox, and Microsoft Edge, now support TLS 1.3. In addition, major Internet service providers, such as Cloudflare and Akamai, have started to support TLS 1.3 on their servers. Please visit this page if you want to deeply review the comparison of TLS implementations across different supported servers and clients.
Please visit these posts to learn more about TLS 1.2 and TLS 1.3:
- What Is SSL/TLS? How SSL, TLS 1.2, And TLS 1.3 Differ From Each Other?
- Decoding TLS v1.2 protocol Handshake with Wireshark
- Decoding TLS 1.3 Protocol Handshake With Wireshark
- How to Enable TLS 1.3 in Standard Web Browsers?
- How to Enable TLS 1.3 on Popular Web Servers?
- How to Disable TLS 1.0 and TLS 1.1 on Your Apache Server?
- How to Disable TLS 1.0 and TLS 1.1 on Your Nginx Server?
TLS 1.3 is the most secure version of the TLS protocol and is the recommended version to use for all new deployments. However, TLS 1.2 is still widely used and will continue to be supported for the foreseeable future.
Why Should You Enable TLS 1.2 and TLS 1.3 on Windows Server?
As a windows administrator, it is not just your duty to take care the system’s health. But, it is also your responsibility to create a secure environment to protect your Windows from internal and external threats. TLS 1.2 and TLS 1.3 are the new and most secure transport layer security protocols. As a system administrator, you should enable TLS 1.2 and TLS 1.3 on your Windows Server for the following reasons:
- Both TLS 1.2 and TLS 1.3 introduces new cryptographic suites that offer better security than the suites used in older TLS and SSL protocols.
- Both TLS 1.2 and TLS 1.3 are more resistant to man-in-the-middle attacks and simplify the handshake process, which makes it more difficult for attackers to eavesdrop on communications.
- TLS 1.3 simplifies the handshake process and removes unnecessary cryptographic overhead, which results in a faster connection time.
How to Enable TLS 1.2 and TLS 1.3 on Windows Server?
We have covered 3 different ways to enable TLS 1.2 and TLS 1.3 on your Windows Server in this post. You can choose any one of the three ways to enable TLS 1.2 and TLS 1.3 on your Windows Server depending on your technical and automation skills.
- Enable TLS 1.2 and TLS 1.3 manually using Registry
- Enable TLS 1.2 and TLS 1.3 using Powershell Commands
- Enable TLS 1.2 and TLS 1.3 using CMD
Note: Microsoft clearly said that it supports TLS 1.3 only after Windows 11 & Windows Server 2022 operating systems. No support will be provided for TLS 1.3 below Windows 10 and Windows Server 2019. You can refer to the below table that shows the Microsoft Schannel Provider support of TLS protocol versions.
TLS Protocols Supported by Windows Operating Systems:
| Windows OS | TLS 1.0 Client | TLS 1.0 Server | TLS 1.1 Client | TLS 1.1 Server | TLS 1.2 Client | TLS 1.2 Server | TLS 1.3 Client | TLS 1.3 Server |
|---|---|---|---|---|---|---|---|---|
| Windows Vista/Windows Server 2008 | Enabled | Enabled | Not supported | Not supported | Not supported | Not supported | Not supported | Not supported |
| Windows Server 2008 with Service Pack 2 (SP2) | Enabled | Enabled | Disabled | Disabled | Disabled | Disabled | Not supported | Not supported |
| Windows 7/Windows Server 2008 R2 | Enabled | Enabled | Disabled | Disabled | Disabled | Disabled | Not supported | Not supported |
| Windows 8/Windows Server 2012 | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Not supported | Not supported |
| Windows 8.1/Windows Server 2012 R2 | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Not supported | Not supported |
| Windows 10, version 1507 | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Not supported | Not supported |
| Windows 10, version 1511 | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Not supported | Not supported |
| Windows 10, version 1607/Windows Server 2016 Standard | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Not supported | Not supported |
| Windows 10, version 1703 | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Not supported | Not supported |
| Windows 10, version 1709 | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Not supported | Not supported |
| Windows 10, version 1803 | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Not supported | Not supported |
| Windows 10, version 1809//Windows Server 2019 | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Not supported | Not supported |
| Windows 10, version 1903 | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Not supported | Not supported |
| Windows 10, version 1909 | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Not supported | Not supported |
| Windows 10, version 2004 | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Not supported | Not supported |
| Windows 10, version 20H2 | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Not Supported | Not Supported |
| Windows 10, version 21H1 | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Not Supported | Not Supported |
| Windows 10, version 21H2 | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Not Supported | Not Supported |
| Windows Server 2022 | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled |
| Windows 11 | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled |
Method 1 : Enable TLS 1.2 and TLS 1.3 manually using Registry
Let’s begin learning how to enable TLS 1.2 and TLS 1.3 manually using Windows Registry.
Time needed: 10 minutes
Method 1 : Enable TLS 1.2 and TLS 1.3 manually using Registry
- Open regedit utility
Open ‘Run‘, type ‘regedit‘ and click ‘OK‘.
- Create New Key
In Registry Editor, navigate to the path : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
Create a new key by Right click on ‘Protocols‘ –> New –> Key
- Rename the Registry Key ‘TLS 1.2’
Rename the registry key as ‘TLS 1.2‘.
- Create One More Registry Key ‘Client’ underneath ‘TLS 1.2’
As smiler to the above step, create another key as ‘Client‘ underneath ‘TLS 1.2‘ as shone in this picture.
- Create New Item ‘DWORD (32-bit) Value’ Underneath ‘Client’, select ‘New’
Create new item by right click on ‘Client‘, select ‘New’ –> DWORD (32-bit) Value.
- Rename the Item ‘DWORD (32-bit) Value’ to ‘DisabledByDefault’
Name the item as ‘DisableBy Default’ with Hexadecimal value as ‘0’.
- Create another item, ‘Enabled’ Underneath TLS 1.2
Similarly create another item, ‘Enabled‘ with Hexadecimal value as ‘1‘.
- List of Item Created underneath ‘Client’
After registry item creations underneath ‘Client’, it looks as below.
- Create ‘Server’ and corresponding Keys as in the case of ‘Client’
Similar to above steps, create a key ‘Server’ under ‘Protocols’ and create ‘DWORD (32-bit)’ and ‘Enabled’ as shown below.
– HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server\Enabled with Hexadecimal value as ‘1’
– HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server\DisabledByDefault with Hexadecimal value as ‘0’
- Enable TLS 1.3 on the Windows Server
Similar to above steps, create a ‘DWORD (32-bit)’ and ‘Enabled’ items in the below path to enable TLS 1.3
Note: TLS 1.3 is supported in Windows 11 & Windows server 2022 onwards.
– HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\EnableHTTP3 with Hexadecimal value as ‘1’
Method 2 : Enable TLS 1.2 and TLS 1.3 on Windows Server using Powershell Commends
Follow this simple procedure to enable TLS 1.2 and TLS 1.2 using Powershell comments.
- Open Powershell as Administrator
2. Run below commands to create Registry entry
TLS 1.2
- New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force
- New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' –PropertyType 'DWORD' -Name 'DisabledByDefault' -Value '0'
- New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -PropertyType 'DWORD' -Name 'Enabled' -Value '1'
- New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force
- New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' –PropertyType 'DWORD' -Name 'DisabledByDefault' -Value '0'
- New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' –PropertyType 'DWORD' -Name 'Enabled' -Value '1'
TLS 1.3 (Supports in Windows 11 & Windows Server 2022)
- New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\services\HTTP\Parameters' -PropertyType 'DWORD' -Name 'EnableHttp3' -Value '1'Before running the commands you can see no items were exist underneath Protocol.
After running the commands you can see there are two keys created ‘TLS 1.2’ & ‘TLS 1.3’, Underneath each protocols there are ‘Client’ &’Server’ Keys inside them ther are two items ‘DisableByDefault’ & ‘Enabled’.
Method 3: Enable TLS 1.2 and TLS 1.3 on Windows Server using native CMD
Follow this simple procedure to enable TLS 1.2 and TLS 1.2 using CMD comments.
- Open ‘Command Prompt’ as Administrator
2. Run below commands to create Registry entry.
TLS 1.2
- reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" /v DisabledByDefault /t REG_DWORD /d 0 /f
- reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" /v Enabled /t REG_DWORD /d 1 /f
- reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" /v DisabledByDefault /t REG_DWORD /d 0 /f
- reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" /v Enabled /t REG_DWORD /d 1 /f
TLS 1.3 (Supports in Windows 11 & Windows Server 2022)
- reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\HTTP\Parameters" /v EnableHttp3 /t REG_DWORD /d 1 /fWe hope this post would help you know how to enable TLS 1.2 and TLS 1.3 on your Windows Server to enhance the security of your infrastructure. Please share this post if you find this interested. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram, and subscribe to receive updates like this.
Frequently Asked Questions:
Transport Layer Security (TLS) is a cryptographic protocol designed to provide secure communication over computer networks. It is the successor to Secure Sockets Layer (SSL) and is widely used to encrypt data transmissions between a client and a server, ensuring privacy and data integrity.
TLS 1.2 and TLS 1.3 are the most recent versions of the TLS protocol, with TLS 1.3 being the latest. They include several improvements over previous versions, such as enhanced security, better performance, and support for more modern cryptographic algorithms. Enabling these versions on your Windows Server ensures that your server uses the most secure and up-to-date encryption methods.
Enabling TLS 1.2 and TLS 1.3 on your Windows Server ensures that your server can establish secure connections with clients using the latest encryption standards. This helps protect sensitive data from eavesdropping and tampering while providing better performance and compatibility with modern web browsers and applications.
To enable TLS 1.2 and TLS 1.3 on your Windows Server, follow these steps:
1. Open the Registry Editor by pressing Win + R, typing regedit, and pressing Enter.
2. Navigate to the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
3. Create new keys for TLS 1.2 and TLS 1.3 if they do not exist.
4. Under each TLS version key, create subkeys named Client and Server.
5. Create a new DWORD (32-bit) value named Enabled under both Client and Server subkeys, and set its value to 1.
6. Create a new DWORD (32-bit) value named DisabledByDefault under both Client and Server subkeys, and set its value to 0.
7. Close the Registry Editor and restart your server to apply the changes.
To disable older, less secure TLS versions on your Windows Server, follow the same steps as enabling TLS 1.2 and TLS 1.3, but set the Enabled DWORD value to 0 and the DisabledByDefault DWORD value to 1 for the older TLS versions (e.g., TLS 1.0 and TLS 1.1).
Yes, you can enable TLS 1.2 and TLS 1.3 on other operating systems, such as Linux and macOS. The process may vary depending on the platform and the software used, but the overall goal remains the same: to configure the server to use the most recent and secure versions of the TLS protocol.
You can use a third-party tool like Nmap (https://nmap.org/) or SSL Labs’ SSL Server Test (https://www.ssllabs.com/ssltest/) to scan your server and determine which TLS versions are currently enabled.
Yes, you can enable TLS 1.2 and TLS 1.3 for specific applications or services on your Windows Server. The process may vary depending on the application or service, but it typically involves configuring the application’s settings or modifying its configuration files. Refer to the documentation for the specific application or service for more information on how to enable the desired TLS versions.
To enable TLS 1.2 on Windows Server, you need at least Windows Server 2008 R2 or later. For TLS 1.3, you need at least Windows Server 2016 or later, along with an update to the latest version of the Schannel.dll file. Additionally, ensure that the server and the clients connecting to it support the necessary cryptographic algorithms and protocols required for TLS 1.2 and TLS 1.3.
Enabling TLS 1.2 and TLS 1.3 on your Windows Server does not require updating your existing SSL/TLS certificates. However, it is essential to ensure that your certificates are valid, up to date, and issued by a trusted Certificate Authority (CA). If your certificates are about to expire or if you have concerns about their security, consider obtaining new certificates to maintain a secure and trustworthy connection.
To test if your Windows Server is using TLS 1.2 or TLS 1.3, you can use online testing tools like SSL Labs’ SSL Server Test (https://www.ssllabs.com/ssltest/) or perform a manual test using OpenSSL. To test with OpenSSL, run the following commands in the terminal (replace “example.com” with your server’s domain name or IP address):
For TLS 1.2:
openssl s_client -connect example.com:443 -tls1_2
For TLS 1.3:
openssl s_client -connect example.com:443 -tls1_3
If the connection is successful and the protocol version in the output matches the desired TLS version, your server is correctly configured to use TLS 1.2 or TLS 1.3.
Enabling TLS 1.2 and TLS 1.3 on your Windows Server may result in a slight increase in the resources required for encryption and decryption. However, the performance impact is generally minimal, and the security benefits provided by these newer TLS versions outweigh any potential performance drawbacks. Moreover, TLS 1.3 introduces several performance optimizations, such as reduced handshake latency, which can improve the overall performance of secure connections.
Thanks for the nice document. Is it a good practice to reset IIS after the change?
Yes.
Hi,
you need to edit the example string that says "DisableByDefault" because it is actually "DisabledByDefault"
Otherwise, very good documentation.
Regards
We will check it out. Thanks for the notification.
In Step 6, the name of the value is misspelled:
Rename the Item ‘DWORD (32-bit) Value’ to ‘DisableBy Default’
It should be 'DisabledByDefault'.
Thanks, Charis. Thanks for the correction! It’s corrected now.