Lex Li
Affordable IIS Consulting Services at https://support.lextudio.com/services/consulting.html
---------------------------
This posting is provided "AS IS" with no warranties, and confers no rights.
.NET forums are moving to a new home on Microsoft Q&A, we encourage you to go to Microsoft Q&A for .NET for posting new questions and get involved today.
.NET forums are moving to a new home on Microsoft Q&A, we encourage you to go to Microsoft Q&A for .NET for posting new questions and get involved today.
As you described I tried my PowerShell script to disable TLS 1.0 and 1.1 on windows 2012 with a static and dynamic site in IIS. it works well. after disabling you have to restart your machine.
Test result:
regards,
Jalpa.
.NET forums are moving to a new home on Microsoft Q&A, we encourage you to go to Microsoft Q&A for .NET for posting new questions and get involved today.
.NET forums are moving to a new home on Microsoft Q&A, we encourage you to go to Microsoft Q&A for .NET for posting new questions and get involved today.
.NET forums are moving to a new home on Microsoft Q&A, we encourage you to go to Microsoft Q&A for .NET for posting new questions and get involved today.
Yes you could implement that suggested way on server 2012 os.
.NET forums are moving to a new home on Microsoft Q&A, we encourage you to go to Microsoft Q&A for .NET for posting new questions and get involved today.
Could you share appplicationhost.config setting you changed?
.NET forums are moving to a new home on Microsoft Q&A, we encourage you to go to Microsoft Q&A for .NET for posting new questions and get involved today.
Did you add above code under your site node in which you want to enable custom logging?
.NET forums are moving to a new home on Microsoft Q&A, we encourage you to go to Microsoft Q&A for .NET for posting new questions and get involved today.
Remove the code from applicationhost.config file and try to add field manually in the log setting.
.NET forums are moving to a new home on Microsoft Q&A, we encourage you to go to Microsoft Q&A for .NET for posting new questions and get involved today.
.NET forums are moving to a new home on Microsoft Q&A, we encourage you to go to Microsoft Q&A for .NET for posting new questions and get involved today.
13 Posts
Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still accessb...
Apr 27, 2019 12:16 AM|loginatiis|LINK
Hello All,
Disabled TLS 1.0 and 1.1 at registry level in the web server but iis site hosted in web server is still accessing through TLS1.0 and 1.1
We have checked through browser as well as through open ssl command in putty.
Can you please help me where it is going wrong?
Thanks
8957 Posts
MVP
Re: Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still acc...
Apr 27, 2019 02:47 PM|lextm|LINK
That indicates either you forgot to reboot the server after making the changes, or you simply changed the wrong keys.
A tool like IISCrypto is preferred, as it visualizes the keys and minimizes the possibilities to make mistakes, https://www.nartac.com/Products/IISCrypto/
Affordable IIS Consulting Services at https://support.lextudio.com/services/consulting.html
---------------------------
This posting is provided "AS IS" with no warranties, and confers no rights.
13 Posts
Re: Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still acc...
Apr 28, 2019 09:42 AM|loginatiis|LINK
Hi lextm,
Thank you for the reply,
I have restarted after changing the configuration at registry level as mentioned below.
PFB the Power Shell script which I have used to disable TLS 1.0 and 1.1
Please let me know where iam going wrong.
New-Item -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols" -Name "TLS 1.0"
New-Item -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.0" -Name Client
New-Item -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.0" -Name Server
New-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.0\Client" -Name DisabledByDefault -PropertyType DWord –Value 1
New-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.0\Server" -Name Enabled -PropertyType DWord -Value 0
New-Item -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols" -Name "TLS 1.1"
New-Item -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.1" -Name Client
New-Item -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.1" -Name Server
New-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.1\Client" -Name DisabledByDefault -PropertyType DWord -Value 1
New-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.1\Server" -Name Enabled -PropertyType DWord -Value 0
Thanks
1616 Posts
Re: Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still acc...
Apr 29, 2019 05:14 AM|Jalpa Panchal|LINK
Hi loginatiis,
You could use the below script to disable and enable SSL and TLS:
[CmdletBinding()] Param( [Parameter(Mandatory=$True)] [ValidateSet("SSL30","TLS10","TLS11","TLS12")] [string]$Proto, [ValidateSet("Client","Server")] [string]$Target, [Parameter(Mandatory=$True)] [ValidateSet("Enable","Disable")] $Action) Function CheckKey{ param( [string]$Proto ) $RegKey = $null switch ($Proto){ SSL30 {$RegKey = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0"} TLS10 {$RegKey = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0"} TLS11 {$RegKey = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1"} TLS12 {$RegKey = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2"} default{"Not supported protocol. Possible values: SSL30, TLS10, TLS11, TLS12" exit} } return $Regkey } $RegKey = CheckKey -Proto $Proto [string[]]$TargetKey = $null if(!($Target)){ Write-Host "Setting up both Client and Server protocols" $TargetKey = $(Join-Path $RegKey "Client").ToString() $TargetKey += $(Join-Path $RegKey "Server").ToString() if(!(Test-path -Path $TargetKey[0])){ New-Item $TargetKey[0] -Force } if(!(Test-path -Path $TargetKey[1])){ New-Item $TargetKey[1] -Force } } else{ Write-Host "Setting up $Target protocols" $TargetKey = $(Join-Path $RegKey $Target).ToString() if(!(Test-path -Path $(Join-Path $RegKey $Target))){ New-Item $TargetKey -Force } } Function SetProto{ param( [string[]]$TargetKey, [string]$Action ) foreach($key in $TargetKey){ try{ Get-ItemProperty -Path $key -Name "Enabled" -ErrorAction Stop | Out-Null if($Action -eq "Disable"){ Write-Host "`t`Updating $key" Set-ItemProperty -Path $key -Name "Enabled" -Value 0 -Type "DWord" } else{ Write-Host "`t`Updating $key" Set-ItemProperty -Path $key -Name "Enabled" -Value 1 -Type "DWord" } }Catch [System.Management.Automation.PSArgumentException]{ if($Action -eq "Disable"){ Write-Host "`t`Creating $key" New-ItemProperty -Path $key -Name "Enabled" -Value 0 -PropertyType "DWord" } else{ Write-Host "`t`Creating $key" New-ItemProperty -Path $key -Name "Enabled" -Value 1 -PropertyType "DWord" } } try{ Get-ItemProperty -Path $key -Name "DisabledByDefault" -ErrorAction Stop | Out-Null if($Action -eq "Disable"){ Write-Host "`t`Updating $key" Set-ItemProperty -Path $key -Name "DisabledByDefault" -Value 1 -Type "DWord" } else{ Write-Host "`t`Updating $key" Set-ItemProperty -Path $key -Name "DisabledByDefault" -Value 0 -Type "DWord" } }Catch [System.Management.Automation.PSArgumentException]{ if($Action -eq "Disable"){ Write-Host "`t`Creating $key" New-ItemProperty -Path $key -Name "DisabledByDefault" -Value 1 -PropertyType "DWord" } else{ Write-Host "`t`Creating $key" New-ItemProperty -Path $key -Name "DisabledByDefault" -Value 0 -PropertyType "DWord" } } } } SetProto -TargetKey $TargetKey -Action $Action Write-Host "The operation completed successfully, reboot is required" -ForegroundColor GreenRegards,
Jalpa.
13 Posts
Re: Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still acc...
Apr 29, 2019 07:07 AM|loginatiis|LINK
Hi Jalpa,
Can you please let me know that the script which i gave you is incorrect?
I can able to see the protocols disabled at registry path with the given script.
I am not able to re execute the script now as it was done few months ago by taking downtime.
Can you please let me know your views?
Thanks
1616 Posts
Re: Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still acc...
Apr 29, 2019 07:44 AM|Jalpa Panchal|LINK
Hi,
Could you tell us which OS you are using?
13 Posts
Re: Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still acc...
Apr 29, 2019 09:58 AM|loginatiis|LINK
Windows 2012
13 Posts
Re: Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still acc...
Apr 30, 2019 06:29 AM|loginatiis|LINK
Hi ,
Could you please reply me.
Thanks
1616 Posts
Re: Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still acc...
Apr 30, 2019 08:31 AM|Jalpa Panchal|LINK
Hi,
As you described I tried my PowerShell script to disable TLS 1.0 and 1.1 on windows 2012 with a static and dynamic site in IIS. it works well. after disabling you have to restart your machine.
Test result:
regards,
Jalpa.
13 Posts
Re: Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still acc...
May 01, 2019 06:59 AM|loginatiis|LINK
Hi Sir,
For sure we have restarted the servers(checked and confirmed) after we disable the TLS 1.0 and 1.1 by executing the given PS script.
We have two nodes in sharedfarm, we have disabled in both one after other by restarting.
Why the site is still accessing through browser i am not understanding?
Looking for your valuable inputs....Appreciate for your patience
Thanks
1616 Posts
Re: Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still acc...
May 01, 2019 07:07 AM|Jalpa Panchal|LINK
Hi loginatiis,
Did you clear browser cache, cookie, and history? and also test with network monitor that which protocol is used by your site.
https://www.microsoft.com/en-ph/download/details.aspx?id=4865
13 Posts
Re: Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still acc...
May 02, 2019 06:12 AM|loginatiis|LINK
Any other way to test Sir?
Thanks
1616 Posts
Re: Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still acc...
May 03, 2019 05:51 AM|Jalpa Panchal|LINK
Hi,
You could try to create custom logging at the site level or server level.
Add below code in Applicationhost.config file.
<site name="abc" id="3" serverAutoStart="true"> <application path="/" applicationPool="abc"> <virtualDirectory path="/" physicalPath="C:\inetpub\wwwroot\sitea" /> </application> <bindings> <binding protocol="https" bindingInformation="*:443:www.abc.com" sslFlags="0" /> </bindings> <traceFailedRequestsLogging enabled="true" /> <logFile logExtFileFlags="Date, Time, ClientIP, UserName, ServerIP, Method, UriStem, UriQuery, HttpStatus, Win32Status, TimeTaken, ServerPort, UserAgent, Referer, Host, HttpSubStatus" enabled="true"> <customFields> <clear /> <add logFieldName="crypt-protocol" sourceName="CRYPT_PROTOCOL" sourceType="ServerVariable" /> <add logFieldName="crypt-cipher" sourceName="CRYPT_CIPHER_ALG_ID" sourceType="ServerVariable" /> <add logFieldName="crypt-hash" sourceName="CRYPT_HASH_ALG_ID" sourceType="ServerVariable" /> <add logFieldName="crypt-keyexchange" sourceName="CRYPT_KEYEXCHANGE_ALG_ID" sourceType="ServerVariable" /> </customFields> </logFile> </site>You could also add custom log field manually using the logging feature.
After adding a custom field, access site and check log file entry.
Check crypt-protocol field value:
10 - SSLV3
40 - TLS1.0
100 - TLS1.1
400 - TLS4.2
You could also refer below article for more detail:
New IIS functionality to help identify weak TLS usage
13 Posts
Re: Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still acc...
May 06, 2019 09:11 AM|loginatiis|LINK
Hi Sir,
Our servers are windows 2012, Can we implement the above said way?
Thanks
1616 Posts
Re: Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still acc...
May 06, 2019 09:14 AM|Jalpa Panchal|LINK
Yes you could implement that suggested way on server 2012 os.
13 Posts
Re: Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still acc...
May 09, 2019 06:58 AM|loginatiis|LINK
Hi Sir,
After adding custom logging as you have mentioned at the site level in Applicationhost.config file IIS is not starting.
It is saying the dependent services are failing to start.
I tried in one of our Sandbox server.
Please share your thoughts.
Thanks
1616 Posts
Re: Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still acc...
May 09, 2019 07:03 AM|Jalpa Panchal|LINK
Could you share appplicationhost.config setting you changed?
13 Posts
Re: Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still acc...
May 10, 2019 10:35 AM|loginatiis|LINK
Hi Sir,
I have just added the below lines in applicationhost.config file and tries to restart IIS, but it's not starting after i have stopped IIS.
<traceFailedRequestsLogging enabled="true" />
<logFile logExtFileFlags="Date, Time, ClientIP, UserName, ServerIP, Method, UriStem, UriQuery, HttpStatus, Win32Status, TimeTaken, ServerPort, UserAgent, Referer, Host, HttpSubStatus" enabled="true">
<customFields>
<clear />
<add logFieldName="crypt-protocol" sourceName="CRYPT_PROTOCOL" sourceType="ServerVariable" />
<add logFieldName="crypt-cipher" sourceName="CRYPT_CIPHER_ALG_ID" sourceType="ServerVariable" />
<add logFieldName="crypt-hash" sourceName="CRYPT_HASH_ALG_ID" sourceType="ServerVariable" />
<add logFieldName="crypt-keyexchange" sourceName="CRYPT_KEYEXCHANGE_ALG_ID" sourceType="ServerVariable" />
</customFields>
</logFile>
Thanks
13 Posts
Re: Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still acc...
May 13, 2019 08:02 AM|loginatiis|LINK
Hi Sir
1616 Posts
Re: Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still acc...
May 13, 2019 08:10 AM|Jalpa Panchal|LINK
Hi,
Did you add above code under your site node in which you want to enable custom logging?
13 Posts
Re: Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still acc...
May 13, 2019 12:47 PM|loginatiis|LINK
Yes Sir
1616 Posts
Re: Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still acc...
May 14, 2019 02:47 AM|Jalpa Panchal|LINK
Hi,
Remove the code from applicationhost.config file and try to add field manually in the log setting.
13 Posts
Re: Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still acc...
May 22, 2019 11:03 AM|loginatiis|LINK
Hi Sir,
We are not able to see 'Custom Fields' section W3C Logging fields.
Please suggest.
Thanks,
5494 Posts
MVP
Moderator
Re: Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still acc...
May 22, 2019 03:26 PM|Rovastar|LINK
https://www.leansentry.com/
1616 Posts
Re: Disabled TLS 1.0 and 1.1 at regestry level in the web server but iis site hosted is still acc...
May 23, 2019 09:25 AM|Jalpa Panchal|LINK
Hi ,
Download network monitor tool and check the result.
https://www.microsoft.com/en-ph/download/details.aspx?id=4865