Transport Layer Security (TLS) is a cryptographic protocol that provides communication security over the internet. It encrypts the communication between a client and server to prevent eavesdropping and tampering of data.
TLS 1.3 is the latest version of the TLS protocol and was standardized in 2018. It includes improved encryption algorithms, faster handshake, and better security than previous versions.
Windows Server 2022 fully supports TLS 1.3, but it is not enabled by default. Enabling TLS 1.3 will allow applications running on Windows Server 2022 to benefit from the improved security and performance of the latest TLS version.
In this blog post, we will walk through the steps to enable TLS 1.3 on Windows Server 2022.
Microsoft clearly said that it supports TLS 1.3 only on Windows Server 2022 and above operating systems. No support will be provided for TLS 1.3 below Windows Server 2022. You can refer to the below table that shows the Microsoft Schannel Provider support of TLS protocol versions.
Note: Windows 2019 does not support TLS 1.3. Windows Server 2019 is just rebranded version of 2016.
Windows OS | TLS 1.0 Client | TLS 1.0 Server | TLS 1.1 Client | TLS 1.1 Server | TLS 1.2 Client | TLS 1.2 Server | TLS 1.3 Client | TLS 1.3 Server |
Windows Server 2008 | Enabled | Enabled | Not supported | Not supported | Not supported | Not supported | Not supported | Not supported |
Windows Server 2008 with Service Pack 2 (SP2) | Enabled | Enabled | Disabled | Disabled | Disabled | Disabled | Not supported | Not supported |
Windows Server 2008 R2 | Enabled | Enabled | Disabled | Disabled | Disabled | Disabled | Not supported | Not supported |
Windows Server 2012 | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Not supported | Not supported |
Windows Server 2012 R2 | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Not supported | Not supported |
Windows Server 2016 Standard | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Not supported | Not supported |
Windows Server 2019 | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Not supported | Not supported |
Windows Server 2022 | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled |
First, verify the current TLS version enabled on your Windows Server. There are several ways to check TLS version on Windows Server. However, using the IISCrypto tool to check the SSL/TLS protocols is the easiest way. Download and run IISCrypto and go to the Protocols tab.
If you don’t see TLS 1.3 in the enabled protocols list, you will need to enable it manually.
IIS Crypto is a free tool that gives administrators the ability to enable or disable protocols, ciphers, hashes and key exchange algorithms on Windows Server 2008, 2012, 2016, 2019 and 2022.
Well, IIS Crypto is the easiest way to enable TLS 1.3 on a Windows Server. IIS Crypto tool will also do the same registry settings backend. However, let’s see how to enable it using Registry key.
Launch Registry Editor (regedit.exe).
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3
If the TLS 1.3 key does not exist, right-click on the Protocols folder and select New > Key. Name it TLS 1.3
.
Under the TLS 1.3 key, create a new Key named Server
.
Under the Server key, create a new DWORD (32-bit)
value named Enabled
and set it to 1
.
Restart the Windows Server for changes to take effect.
Step 1: Launch Registry Editor (regedit.exe).
Step 2: Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3
If the TLS 1.3 key does not exist, right-click on the Protocols folder and select New > Key. Name it TLS 1.3
.
Step 3: Under the TLS 1.3 key, create a new Key named Server
.
Step 4: Under the Server key, create a new DWORD (32-bit)
value named Enabled
and set it to 1
.
Step 5:Restart the Windows Server for changes to take effect.
That’s it. TLS 1.3 is enabled on Windows Server 2022. To verify TLS 1.3 is enabled, you can use Wireshark to capture network traffic between a client and the server. Filter to show only SSL/TLS packets and look for the Server Hello packet. If TLS 1.3 is enabled, the protocol version should be 0x0304.
Alternatively, you can use the IIS Crypto tool to enable TLS 1.3 on Windows Server 2022.
This will enable TLS 1.3 on Windows Server 2022 globally for all applications.
To verify that TLS 1.3 is enabled after the registry changes, you can again use IISCrypto and check if TLS 1.3 appears in the enabled protocols.
Alternatively, You can also use a tool like Wireshark to capture network traffic between a client and server and inspect the TLS handshake. If TLS 1.3 is enabled, you will see it in the protocol version of the Server Hello message.
The above registry change will enable TLS 1.3 on Windows Server 2022 globally. If you want to enable it only for specific applications like IIS, RDP, PowerShell, etc, you can use the following registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client
: for client applications
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server
: for server applications like IIS, RDP
Set the Enabled
value to 1
under the desired application keys.
Upgrading your Windows Server to use TLS 1.3 improves the security and performance of network communications. Applications can leverage the faster handshake, improved encryption algorithms, and other benefits offered by the latest TLS 1.3 protocol.
Simply enabling TLS 1.3 on Windows Server 2022 via the registry editor is an easy change to make your infrastructure more secure. Verify that clients and applications can successfully negotiate TLS 1.3, and enjoy the benefits!
If this post interesting to you, visit our website, thesecmaster.com, and social media pages on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.
You may also like these articles:
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”
"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.
BurpGPT is a cutting-edge Burp Suite extension that harnesses the power of OpenAI's language models to revolutionize web application security testing. With customizable prompts and advanced AI capabilities, BurpGPT enables security professionals to uncover bespoke vulnerabilities, streamline assessments, and stay ahead of evolving threats.
PentestGPT, developed by Gelei Deng and team, revolutionizes penetration testing by harnessing AI power. Leveraging OpenAI's GPT-4, it automates and streamlines the process, making it efficient and accessible. With advanced features and interactive guidance, PentestGPT empowers testers to identify vulnerabilities effectively, representing a significant leap in cybersecurity.
Tenable BurpGPT is a powerful Burp Suite extension that leverages OpenAI's advanced language models to analyze HTTP traffic and identify potential security risks. By automating vulnerability detection and providing AI-generated insights, BurpGPT dramatically reduces manual testing efforts for security researchers, developers, and pentesters.
Microsoft Security Copilot is a revolutionary AI-powered security solution that empowers cybersecurity professionals to identify and address potential breaches effectively. By harnessing advanced technologies like OpenAI's GPT-4 and Microsoft's extensive threat intelligence, Security Copilot streamlines threat detection and response, enabling defenders to operate at machine speed and scale.