Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still accessble through TLS1.0 and 1.1RSS

24 replies

Last post May 23, 2019 09:25 AM by Jalpa Panchal

  • Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still accessb...

    Apr 27, 2019 12:16 AM|loginatiis|LINK

    Hello All,

    Disabled TLS 1.0 and 1.1 at registry level in the web server but iis site hosted in web server is still accessing through TLS1.0 and 1.1

    We have checked through browser as well as through open ssl command in putty.

    Can you please help me where it is going wrong?

    Thanks

  • Re: Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still acc...

    Apr 27, 2019 02:47 PM|lextm|LINK

    loginatiis

    Can you please help me where it is going wrong?

    That indicates either you forgot to reboot the server after making the changes, or you simply changed the wrong keys.

    A tool like IISCrypto is preferred, as it visualizes the keys and minimizes the possibilities to make mistakes, https://www.nartac.com/Products/IISCrypto/ 

    Lex Li
    https://lextudio.com
    ---------------------------
    This posting is provided "AS IS" with no warranties, and confers no rights.
  • Re: Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still acc...

    Apr 28, 2019 09:42 AM|loginatiis|LINK

    Hi lextm,

    Thank you for the reply,

    I have restarted after changing the configuration at registry level as mentioned below.

    PFB the Power Shell script which I have used to disable TLS 1.0 and 1.1

    Please let me know where iam going wrong.

    New-Item -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols" -Name "TLS 1.0"
    New-Item -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.0" -Name Client
    New-Item -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.0" -Name Server
    New-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.0\Client" -Name DisabledByDefault -PropertyType DWord –Value 1
    New-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.0\Server" -Name Enabled -PropertyType DWord -Value 0

    New-Item -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols" -Name "TLS 1.1"
    New-Item -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.1" -Name Client
    New-Item -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.1" -Name Server
    New-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.1\Client" -Name DisabledByDefault -PropertyType DWord -Value 1
    New-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.1\Server" -Name Enabled -PropertyType DWord -Value 0

    Thanks

  • Re: Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still acc...

    Apr 29, 2019 05:14 AM|Jalpa Panchal|LINK

    Hi loginatiis,

    You could use the below script to disable and enable  SSL and TLS:

    [CmdletBinding()]
    Param(
    [Parameter(Mandatory=$True)]
    [ValidateSet("SSL30","TLS10","TLS11","TLS12")]
    [string]$Proto,
    [ValidateSet("Client","Server")]
    [string]$Target,
    [Parameter(Mandatory=$True)]
    [ValidateSet("Enable","Disable")]
    $Action)
    
    Function CheckKey{
    param(
    [string]$Proto
    )
    $RegKey = $null
    
    switch ($Proto){
       SSL30 {$RegKey = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0"}
       TLS10 {$RegKey = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0"}
       TLS11 {$RegKey = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1"}
       TLS12 {$RegKey = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2"}
       default{"Not supported protocol. Possible values: SSL30, TLS10, TLS11, TLS12"
                exit}
      }
    return $Regkey
    }
    
    $RegKey = CheckKey -Proto $Proto
    [string[]]$TargetKey = $null
    if(!($Target)){
      Write-Host "Setting up both Client and Server protocols"
      $TargetKey = $(Join-Path $RegKey "Client").ToString()
      $TargetKey += $(Join-Path $RegKey "Server").ToString()
      if(!(Test-path -Path $TargetKey[0])){
           New-Item $TargetKey[0] -Force
       }
      if(!(Test-path -Path $TargetKey[1])){
           New-Item $TargetKey[1] -Force
        }
      } 
    else{
      Write-Host "Setting up $Target protocols"
      $TargetKey = $(Join-Path $RegKey $Target).ToString()
      if(!(Test-path -Path $(Join-Path $RegKey $Target))){
           New-Item $TargetKey -Force   
        }
     }
    
    Function SetProto{
    param(
    
    [string[]]$TargetKey,
    [string]$Action
    )
    
    foreach($key in  $TargetKey){
       try{
           Get-ItemProperty -Path $key -Name "Enabled" -ErrorAction Stop | Out-Null
           if($Action -eq "Disable"){
              Write-Host "`t`Updating $key"                     
              Set-ItemProperty -Path $key -Name "Enabled" -Value 0 -Type "DWord"
             }
           else{
              Write-Host "`t`Updating $key"
              Set-ItemProperty -Path $key -Name "Enabled" -Value 1 -Type "DWord"
             }
          }Catch [System.Management.Automation.PSArgumentException]{
              if($Action -eq "Disable"){
                 Write-Host "`t`Creating $key"
                 New-ItemProperty -Path $key -Name "Enabled" -Value 0 -PropertyType "DWord"
                }
              else{
                 Write-Host "`t`Creating $key"
                 New-ItemProperty -Path $key -Name "Enabled" -Value 1 -PropertyType "DWord"
               }
           }
    
    try{
         Get-ItemProperty -Path $key -Name "DisabledByDefault" -ErrorAction Stop | Out-Null
         if($Action -eq "Disable"){
            Write-Host "`t`Updating $key"
            Set-ItemProperty -Path $key -Name "DisabledByDefault" -Value 1 -Type "DWord"
           }
         else{
            Write-Host "`t`Updating $key"
            Set-ItemProperty -Path $key -Name "DisabledByDefault" -Value 0 -Type "DWord"
            }
         }Catch [System.Management.Automation.PSArgumentException]{
            if($Action -eq "Disable"){
               Write-Host "`t`Creating $key"
               New-ItemProperty -Path $key -Name "DisabledByDefault" -Value 1 -PropertyType "DWord"
              }
            else{
               Write-Host "`t`Creating $key"
               New-ItemProperty -Path $key -Name "DisabledByDefault" -Value 0 -PropertyType "DWord"
              }
         }
      }
    }
    
    SetProto -TargetKey $TargetKey -Action $Action
    
    Write-Host "The operation completed successfully, reboot is required" -ForegroundColor Green

    Regards,

    Jalpa.

    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue.
    If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.
  • Re: Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still acc...

    Apr 29, 2019 07:07 AM|loginatiis|LINK

    Hi Jalpa,

    Can you please let me know that the script which i gave you is incorrect?

    I can able to see the protocols disabled at registry path with the given script. 

    I am not able to re execute the script now as it was done few months ago by taking downtime.

    Can you please let me know your views?

    Thanks

  • Re: Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still acc...

    Apr 29, 2019 07:44 AM|Jalpa Panchal|LINK

    Hi,

    Could you tell us which OS you are using?

    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue.
    If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.
  • Re: Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still acc...

    Apr 29, 2019 09:58 AM|loginatiis|LINK

    Windows 2012

  • Re: Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still acc...

    Apr 30, 2019 06:29 AM|loginatiis|LINK

    Hi ,

    Could you please reply me.

    Thanks

  • Re: Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still acc...

    Apr 30, 2019 08:31 AM|Jalpa Panchal|LINK

    Hi,

    As you described I tried my PowerShell script to disable TLS 1.0 and 1.1 on windows 2012 with a static and dynamic site in IIS. it works well. after disabling you have to restart your machine.

    Test result:

    regards,

    Jalpa.

    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue.
    If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.
  • Re: Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still acc...

    May 01, 2019 06:59 AM|loginatiis|LINK

    Hi Sir,

    For sure we have restarted the servers(checked and confirmed) after we disable the TLS 1.0 and 1.1 by executing the given PS script.

    We have two nodes in sharedfarm, we have disabled in both one after other by restarting.

    Why the site is still accessing through browser i am not understanding?

    Looking for your valuable inputs....Appreciate for your patience 

    Thanks

  • Re: Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still acc...

    May 01, 2019 07:07 AM|Jalpa Panchal|LINK

    Hi loginatiis,

    Did you clear browser cache,  cookie, and history? and also test with network monitor that which protocol is used by your site.

    https://www.microsoft.com/en-ph/download/details.aspx?id=4865

    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue.
    If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.
  • Re: Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still acc...

    May 02, 2019 06:12 AM|loginatiis|LINK

    Any other way to test Sir?

    Thanks

  • Re: Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still acc...

    May 03, 2019 05:51 AM|Jalpa Panchal|LINK

    Hi,

    You could try to create custom logging at the site level or server level.

    Add below code in Applicationhost.config file.

     <site name="abc" id="3" serverAutoStart="true">
                    <application path="/" applicationPool="abc">
                        <virtualDirectory path="/" physicalPath="C:\inetpub\wwwroot\sitea" />
                    </application>
                    <bindings>
                        <binding protocol="https" bindingInformation="*:443:www.abc.com" sslFlags="0" />
                    </bindings>
                    <traceFailedRequestsLogging enabled="true" />
                    <logFile logExtFileFlags="Date, Time, ClientIP, UserName, ServerIP, Method, UriStem, UriQuery, HttpStatus, Win32Status, TimeTaken, ServerPort, UserAgent, Referer, Host, HttpSubStatus" enabled="true">
                        <customFields>
                            <clear />
                            <add logFieldName="crypt-protocol" sourceName="CRYPT_PROTOCOL" sourceType="ServerVariable" />
                            <add logFieldName="crypt-cipher" sourceName="CRYPT_CIPHER_ALG_ID" sourceType="ServerVariable" />
                            <add logFieldName="crypt-hash" sourceName="CRYPT_HASH_ALG_ID" sourceType="ServerVariable" />
                            <add logFieldName="crypt-keyexchange" sourceName="CRYPT_KEYEXCHANGE_ALG_ID" sourceType="ServerVariable" />
                        </customFields>
                    </logFile>
                </site>

    You could also add custom log field manually using the logging feature.

    After adding a custom field, access site and check log file entry.

    Check crypt-protocol field value:

    10 - SSLV3

    40 - TLS1.0

    100 - TLS1.1

    400 - TLS4.2

    You could also refer below article for more detail:

    New IIS functionality to help identify weak TLS usage

    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue.
    If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.
  • Re: Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still acc...

    May 06, 2019 09:11 AM|loginatiis|LINK

    Hi Sir,

    Our servers are windows 2012, Can we implement the above said way?

    Thanks

  • Re: Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still acc...

    May 06, 2019 09:14 AM|Jalpa Panchal|LINK

    Yes you could implement that suggested way on server 2012 os.

    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue.
    If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.
  • Re: Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still acc...

    May 09, 2019 06:58 AM|loginatiis|LINK

    Hi Sir,

    After adding custom logging as you have mentioned at the site level in Applicationhost.config file IIS is not starting.

    It is saying the dependent services are failing to start.

    I tried in one of our Sandbox server.

    Please share your thoughts.

    Thanks

  • Re: Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still acc...

    May 09, 2019 07:03 AM|Jalpa Panchal|LINK

    Could you share appplicationhost.config setting you changed?

    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue.
    If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.
  • Re: Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still acc...

    May 10, 2019 10:35 AM|loginatiis|LINK

    Hi Sir,

    I have just added the below lines in applicationhost.config file and tries to restart IIS, but it's not starting after i have stopped IIS.

    <traceFailedRequestsLogging enabled="true" />
    <logFile logExtFileFlags="Date, Time, ClientIP, UserName, ServerIP, Method, UriStem, UriQuery, HttpStatus, Win32Status, TimeTaken, ServerPort, UserAgent, Referer, Host, HttpSubStatus" enabled="true">
    <customFields>
    <clear />
    <add logFieldName="crypt-protocol" sourceName="CRYPT_PROTOCOL" sourceType="ServerVariable" />
    <add logFieldName="crypt-cipher" sourceName="CRYPT_CIPHER_ALG_ID" sourceType="ServerVariable" />
    <add logFieldName="crypt-hash" sourceName="CRYPT_HASH_ALG_ID" sourceType="ServerVariable" />
    <add logFieldName="crypt-keyexchange" sourceName="CRYPT_KEYEXCHANGE_ALG_ID" sourceType="ServerVariable" />
    </customFields>
    </logFile>

    Thanks

  • Re: Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still acc...

    May 13, 2019 08:02 AM|loginatiis|LINK

    Hi Sir

  • Re: Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still acc...

    May 13, 2019 08:10 AM|Jalpa Panchal|LINK

    Hi,

    Did you add above code under your site node in which you want to enable custom logging?

    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue.
    If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.
  • Re: Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still acc...

    May 13, 2019 12:47 PM|loginatiis|LINK

    Yes Sir

  • Re: Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still acc...

    May 14, 2019 02:47 AM|Jalpa Panchal|LINK

    Hi,

    Remove the code from applicationhost.config file and try to add field manually in the log setting.

    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue.
    If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.
  • Re: Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still acc...

    May 22, 2019 11:03 AM|loginatiis|LINK

    Hi Sir,

    We are not able to see 'Custom Fields' section W3C Logging fields.

    Please suggest.

    Thanks,

  • Rovastar Rovastar

    5417 Posts

    MVP

    Moderator

    Re: Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still acc...

    May 22, 2019 03:26 PM|Rovastar|LINK

    Custom logging is not in 2012 it was introduced in 2012r2
    Troubleshoot IIS in style
    https://www.leansentry.com/
  • Re: Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still acc...

    May 23, 2019 09:25 AM|Jalpa Panchal|LINK

    Hi ,

    Download network monitor tool and check the result.

    https://www.microsoft.com/en-ph/download/details.aspx?id=4865

    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue.
    If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.