How To Disable TLS 1.0 & TLS 1.1 on a Windows Server, VPS or Cloud VM

We talked extensively about Google, Microsoft and PCIs push to create a more secure internet. From supporting an open-source SSL certificate initiative like Let’s Encrypt to prompting “Not Secure” warning when visiting all HTTP sites through chrome, IE, and Mozilla. Those of you who are running an e-commerce site are familiar with PCI and already know that PCI has deprecated TLS1.0 & TLS 1.1 so the minimum requirements are TLS 1.2 and the gold standard is TLS 1.3. For those of you how are not familiar with PCI you can find out more here.

Transport Layer Security (TLS) is a critical part of a secure online transaction between two systems as it secures communications by authenticating one or both systems. Serious vulnerabilities prompted PCI to deprecate SSL/early TLS on 30 June 2018. So if you are using a Windows server or Windows VPS or Windows cloud VM you can do your part and be an agent of change by disabling TLS 1.0 and TLS 1.1 on your server. Doing so not only secures your server but also forces others who are still using SSL/early TLS to make the switch to more secure encryption technology.

Here is the step by step instruction on how to disable TLS 1.0 and TLS 1.1 on a Windows server:

  1. Open up Registry Editor by clicking on the Start Button, type in Regedit, and then hit Enter. Since we are dealing with registry, we strongly suggest backing up the current Registry state. Misuse of the Registry might have detrimental effects on your system. (In the Regedit screen highlight computer >>File >>Export >> Save file to a location you want)
  2. In Registry Editor, locate the following registry key:

HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\TLS 1.0\Server ( or TLS 1.1)                

  1. On the Edit menu, click Add Value.
  2. In the Data Type list, click DWORD.
  3. In the Value Name box, type Enabled, and then click OK.

Note if this value is present; double-click the value to edit its current value.

  1. Type 00000000 in Binary Editor to set the value of the new key equal to “0”.
  2. Click OK. Restart the Server.