Disabling old TLS Protocols in IIS

Transport Layer Security (TLS), and its now-deprecated predecessor, Secure Sockets Layer (SSL), are cryptographic protocols designed to provide communications security over a computer network. Several versions of the protocols are widely used in applications such as email, instant messaging, and voice over IP, but its use as the Security layer in HTTPS (websites) remains the most publicly visible.

The TLS protocol aims primarily to provide privacy and data integrity between two or more communicating computer applications.

A properly secured web site should show up as per the image to the right. These are the protocols that ideally should be enabled and disabled.

• SSL 2.0 - Disable
• SSL 3.0 - Disable
• TLS 1.0 - Disable
• TLS 1.1 - Disable
• TLS 1.2 - Enable
• TLS 1.3 - Enable

You can test your site here with SSL Labs following the link below.

Note: If you get a report saying that you have a vulnerability, then you may need to change the registry settings. Double check the link for Windows below to see what is enabled/disabled by default...

First of all, open up the registry editor by typing in regedit.exe into the search bar on windows, administrator privileges will be needed.

Then navigate to the area below, or copy into the navigator.

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

The keys aren't always set up, so you may need to run this scripts below.

We've used the program on the link below for results that work well.

Use the recommended settings and then disable TLS 1.0 & TLS 1.1 in the server section.

If everything has worked, you should have a registry that looks something like this.