Lex Li
IIS Consulting Services at https://support.lextudio.com/services/consulting.html
---------------------------
This posting is provided "AS IS" with no warranties, and confers no rights.
MSDN Community Support
Please remember to click "Mark as Answer" the responses that resolved your issue.
If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.
MSDN Community Support
Please remember to click "Mark as Answer" the responses that resolved your issue.
If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.
As you described I tried my PowerShell script to disable TLS 1.0 and 1.1 on windows 2012 with a static and dynamic site in IIS. it works well. after disabling you have to restart your machine.
Test result:
regards,
Jalpa.
MSDN Community Support
Please remember to click "Mark as Answer" the responses that resolved your issue.
If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.
MSDN Community Support
Please remember to click "Mark as Answer" the responses that resolved your issue.
If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.
MSDN Community Support
Please remember to click "Mark as Answer" the responses that resolved your issue.
If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.
Yes you could implement that suggested way on server 2012 os.
MSDN Community Support
Please remember to click "Mark as Answer" the responses that resolved your issue.
If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.
Could you share appplicationhost.config setting you changed?
MSDN Community Support
Please remember to click "Mark as Answer" the responses that resolved your issue.
If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.
Did you add above code under your site node in which you want to enable custom logging?
MSDN Community Support
Please remember to click "Mark as Answer" the responses that resolved your issue.
If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.
Remove the code from applicationhost.config file and try to add field manually in the log setting.
MSDN Community Support
Please remember to click "Mark as Answer" the responses that resolved your issue.
If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.
MSDN Community Support
Please remember to click "Mark as Answer" the responses that resolved your issue.
If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.
13 Posts
Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still accessb...
Apr 27, 2019 12:16 AM|loginatiis|LINK
Hello All,
Disabled TLS 1.0 and 1.1 at registry level in the web server but iis site hosted in web server is still accessing through TLS1.0 and 1.1
We have checked through browser as well as through open ssl command in putty.
Can you please help me where it is going wrong?
Thanks
8792 Posts
MVP
Re: Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still acc...
Apr 27, 2019 02:47 PM|lextm|LINK
That indicates either you forgot to reboot the server after making the changes, or you simply changed the wrong keys.
A tool like IISCrypto is preferred, as it visualizes the keys and minimizes the possibilities to make mistakes, https://www.nartac.com/Products/IISCrypto/
IIS Consulting Services at https://support.lextudio.com/services/consulting.html
---------------------------
This posting is provided "AS IS" with no warranties, and confers no rights.
13 Posts
Re: Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still acc...
Apr 28, 2019 09:42 AM|loginatiis|LINK
Hi lextm,
Thank you for the reply,
I have restarted after changing the configuration at registry level as mentioned below.
PFB the Power Shell script which I have used to disable TLS 1.0 and 1.1
Please let me know where iam going wrong.
New-Item -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols" -Name "TLS 1.0"
New-Item -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.0" -Name Client
New-Item -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.0" -Name Server
New-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.0\Client" -Name DisabledByDefault -PropertyType DWord –Value 1
New-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.0\Server" -Name Enabled -PropertyType DWord -Value 0
New-Item -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols" -Name "TLS 1.1"
New-Item -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.1" -Name Client
New-Item -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.1" -Name Server
New-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.1\Client" -Name DisabledByDefault -PropertyType DWord -Value 1
New-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.1\Server" -Name Enabled -PropertyType DWord -Value 0
Thanks
1386 Posts
Re: Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still acc...
Apr 29, 2019 05:14 AM|Jalpa Panchal|LINK
Hi loginatiis,
You could use the below script to disable and enable SSL and TLS:
[CmdletBinding()] Param( [Parameter(Mandatory=$True)] [ValidateSet("SSL30","TLS10","TLS11","TLS12")] [string]$Proto, [ValidateSet("Client","Server")] [string]$Target, [Parameter(Mandatory=$True)] [ValidateSet("Enable","Disable")] $Action) Function CheckKey{ param( [string]$Proto ) $RegKey = $null switch ($Proto){ SSL30 {$RegKey = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0"} TLS10 {$RegKey = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0"} TLS11 {$RegKey = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1"} TLS12 {$RegKey = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2"} default{"Not supported protocol. Possible values: SSL30, TLS10, TLS11, TLS12" exit} } return $Regkey } $RegKey = CheckKey -Proto $Proto [string[]]$TargetKey = $null if(!($Target)){ Write-Host "Setting up both Client and Server protocols" $TargetKey = $(Join-Path $RegKey "Client").ToString() $TargetKey += $(Join-Path $RegKey "Server").ToString() if(!(Test-path -Path $TargetKey[0])){ New-Item $TargetKey[0] -Force } if(!(Test-path -Path $TargetKey[1])){ New-Item $TargetKey[1] -Force } } else{ Write-Host "Setting up $Target protocols" $TargetKey = $(Join-Path $RegKey $Target).ToString() if(!(Test-path -Path $(Join-Path $RegKey $Target))){ New-Item $TargetKey -Force } } Function SetProto{ param( [string[]]$TargetKey, [string]$Action ) foreach($key in $TargetKey){ try{ Get-ItemProperty -Path $key -Name "Enabled" -ErrorAction Stop | Out-Null if($Action -eq "Disable"){ Write-Host "`t`Updating $key" Set-ItemProperty -Path $key -Name "Enabled" -Value 0 -Type "DWord" } else{ Write-Host "`t`Updating $key" Set-ItemProperty -Path $key -Name "Enabled" -Value 1 -Type "DWord" } }Catch [System.Management.Automation.PSArgumentException]{ if($Action -eq "Disable"){ Write-Host "`t`Creating $key" New-ItemProperty -Path $key -Name "Enabled" -Value 0 -PropertyType "DWord" } else{ Write-Host "`t`Creating $key" New-ItemProperty -Path $key -Name "Enabled" -Value 1 -PropertyType "DWord" } } try{ Get-ItemProperty -Path $key -Name "DisabledByDefault" -ErrorAction Stop | Out-Null if($Action -eq "Disable"){ Write-Host "`t`Updating $key" Set-ItemProperty -Path $key -Name "DisabledByDefault" -Value 1 -Type "DWord" } else{ Write-Host "`t`Updating $key" Set-ItemProperty -Path $key -Name "DisabledByDefault" -Value 0 -Type "DWord" } }Catch [System.Management.Automation.PSArgumentException]{ if($Action -eq "Disable"){ Write-Host "`t`Creating $key" New-ItemProperty -Path $key -Name "DisabledByDefault" -Value 1 -PropertyType "DWord" } else{ Write-Host "`t`Creating $key" New-ItemProperty -Path $key -Name "DisabledByDefault" -Value 0 -PropertyType "DWord" } } } } SetProto -TargetKey $TargetKey -Action $Action Write-Host "The operation completed successfully, reboot is required" -ForegroundColor GreenRegards,
Jalpa.
Please remember to click "Mark as Answer" the responses that resolved your issue.
If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.
13 Posts
Re: Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still acc...
Apr 29, 2019 07:07 AM|loginatiis|LINK
Hi Jalpa,
Can you please let me know that the script which i gave you is incorrect?
I can able to see the protocols disabled at registry path with the given script.
I am not able to re execute the script now as it was done few months ago by taking downtime.
Can you please let me know your views?
Thanks
1386 Posts
Re: Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still acc...
Apr 29, 2019 07:44 AM|Jalpa Panchal|LINK
Hi,
Could you tell us which OS you are using?
Please remember to click "Mark as Answer" the responses that resolved your issue.
If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.
13 Posts
Re: Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still acc...
Apr 29, 2019 09:58 AM|loginatiis|LINK
Windows 2012
13 Posts
Re: Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still acc...
Apr 30, 2019 06:29 AM|loginatiis|LINK
Hi ,
Could you please reply me.
Thanks
1386 Posts
Re: Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still acc...
Apr 30, 2019 08:31 AM|Jalpa Panchal|LINK
Hi,
As you described I tried my PowerShell script to disable TLS 1.0 and 1.1 on windows 2012 with a static and dynamic site in IIS. it works well. after disabling you have to restart your machine.
Test result:
regards,
Jalpa.
Please remember to click "Mark as Answer" the responses that resolved your issue.
If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.
13 Posts
Re: Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still acc...
May 01, 2019 06:59 AM|loginatiis|LINK
Hi Sir,
For sure we have restarted the servers(checked and confirmed) after we disable the TLS 1.0 and 1.1 by executing the given PS script.
We have two nodes in sharedfarm, we have disabled in both one after other by restarting.
Why the site is still accessing through browser i am not understanding?
Looking for your valuable inputs....Appreciate for your patience
Thanks
1386 Posts
Re: Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still acc...
May 01, 2019 07:07 AM|Jalpa Panchal|LINK
Hi loginatiis,
Did you clear browser cache, cookie, and history? and also test with network monitor that which protocol is used by your site.
https://www.microsoft.com/en-ph/download/details.aspx?id=4865
Please remember to click "Mark as Answer" the responses that resolved your issue.
If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.
13 Posts
Re: Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still acc...
May 02, 2019 06:12 AM|loginatiis|LINK
Any other way to test Sir?
Thanks
1386 Posts
Re: Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still acc...
May 03, 2019 05:51 AM|Jalpa Panchal|LINK
Hi,
You could try to create custom logging at the site level or server level.
Add below code in Applicationhost.config file.
<site name="abc" id="3" serverAutoStart="true"> <application path="/" applicationPool="abc"> <virtualDirectory path="/" physicalPath="C:\inetpub\wwwroot\sitea" /> </application> <bindings> <binding protocol="https" bindingInformation="*:443:www.abc.com" sslFlags="0" /> </bindings> <traceFailedRequestsLogging enabled="true" /> <logFile logExtFileFlags="Date, Time, ClientIP, UserName, ServerIP, Method, UriStem, UriQuery, HttpStatus, Win32Status, TimeTaken, ServerPort, UserAgent, Referer, Host, HttpSubStatus" enabled="true"> <customFields> <clear /> <add logFieldName="crypt-protocol" sourceName="CRYPT_PROTOCOL" sourceType="ServerVariable" /> <add logFieldName="crypt-cipher" sourceName="CRYPT_CIPHER_ALG_ID" sourceType="ServerVariable" /> <add logFieldName="crypt-hash" sourceName="CRYPT_HASH_ALG_ID" sourceType="ServerVariable" /> <add logFieldName="crypt-keyexchange" sourceName="CRYPT_KEYEXCHANGE_ALG_ID" sourceType="ServerVariable" /> </customFields> </logFile> </site>You could also add custom log field manually using the logging feature.
After adding a custom field, access site and check log file entry.
Check crypt-protocol field value:
10 - SSLV3
40 - TLS1.0
100 - TLS1.1
400 - TLS4.2
You could also refer below article for more detail:
New IIS functionality to help identify weak TLS usage
Please remember to click "Mark as Answer" the responses that resolved your issue.
If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.
13 Posts
Re: Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still acc...
May 06, 2019 09:11 AM|loginatiis|LINK
Hi Sir,
Our servers are windows 2012, Can we implement the above said way?
Thanks
1386 Posts
Re: Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still acc...
May 06, 2019 09:14 AM|Jalpa Panchal|LINK
Yes you could implement that suggested way on server 2012 os.
Please remember to click "Mark as Answer" the responses that resolved your issue.
If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.
13 Posts
Re: Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still acc...
May 09, 2019 06:58 AM|loginatiis|LINK
Hi Sir,
After adding custom logging as you have mentioned at the site level in Applicationhost.config file IIS is not starting.
It is saying the dependent services are failing to start.
I tried in one of our Sandbox server.
Please share your thoughts.
Thanks
1386 Posts
Re: Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still acc...
May 09, 2019 07:03 AM|Jalpa Panchal|LINK
Could you share appplicationhost.config setting you changed?
Please remember to click "Mark as Answer" the responses that resolved your issue.
If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.
13 Posts
Re: Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still acc...
May 10, 2019 10:35 AM|loginatiis|LINK
Hi Sir,
I have just added the below lines in applicationhost.config file and tries to restart IIS, but it's not starting after i have stopped IIS.
<traceFailedRequestsLogging enabled="true" />
<logFile logExtFileFlags="Date, Time, ClientIP, UserName, ServerIP, Method, UriStem, UriQuery, HttpStatus, Win32Status, TimeTaken, ServerPort, UserAgent, Referer, Host, HttpSubStatus" enabled="true">
<customFields>
<clear />
<add logFieldName="crypt-protocol" sourceName="CRYPT_PROTOCOL" sourceType="ServerVariable" />
<add logFieldName="crypt-cipher" sourceName="CRYPT_CIPHER_ALG_ID" sourceType="ServerVariable" />
<add logFieldName="crypt-hash" sourceName="CRYPT_HASH_ALG_ID" sourceType="ServerVariable" />
<add logFieldName="crypt-keyexchange" sourceName="CRYPT_KEYEXCHANGE_ALG_ID" sourceType="ServerVariable" />
</customFields>
</logFile>
Thanks
13 Posts
Re: Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still acc...
May 13, 2019 08:02 AM|loginatiis|LINK
Hi Sir
1386 Posts
Re: Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still acc...
May 13, 2019 08:10 AM|Jalpa Panchal|LINK
Hi,
Did you add above code under your site node in which you want to enable custom logging?
Please remember to click "Mark as Answer" the responses that resolved your issue.
If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.
13 Posts
Re: Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still acc...
May 13, 2019 12:47 PM|loginatiis|LINK
Yes Sir
1386 Posts
Re: Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still acc...
May 14, 2019 02:47 AM|Jalpa Panchal|LINK
Hi,
Remove the code from applicationhost.config file and try to add field manually in the log setting.
Please remember to click "Mark as Answer" the responses that resolved your issue.
If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.
13 Posts
Re: Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still acc...
May 22, 2019 11:03 AM|loginatiis|LINK
Hi Sir,
We are not able to see 'Custom Fields' section W3C Logging fields.
Please suggest.
Thanks,
5469 Posts
MVP
Moderator
Re: Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still acc...
May 22, 2019 03:26 PM|Rovastar|LINK
https://www.leansentry.com/
1386 Posts
Re: Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still acc...
May 23, 2019 09:25 AM|Jalpa Panchal|LINK
Hi ,
Download network monitor tool and check the result.
https://www.microsoft.com/en-ph/download/details.aspx?id=4865
Please remember to click "Mark as Answer" the responses that resolved your issue.
If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.