We like to convert Global to Universal Security Group with PowerShell. Why with PowerShell? It's…
Learn how to enable TLS 1.2 on Windows Server and disable the older TLS protocol versions. You want secure communications going through your Windows Server, and to do that, you have to enable TLS 1.2 and disable the older TLS versions. If you have SSL protocols active, you should disable these too. In this article, we will enable TLS 1.2 on Windows Server 2016/2019.
Table of contents
What is Transport Layer Security?
Transport Layer Security (TLS), and its now-deprecated predecessor, Secure Sockets Layer (SSL), are cryptographic protocols designed to provide communications security over a computer network. Several versions of the protocols find widespread use in applications such as web browsing, email, instant messaging, and voice over IP (VoIP). Websites can use TLS to secure all communications between their servers and web browsers.
Windows Server TLS best practice
Note: Only TLS 1.3 and TLS 1.2 are approved. The protocol TLS 1.3 is only available to enable in Windows Server 2022 or newer.
Windows Server 2019 and lower
Only activate TLS 1.2 for the best security on Windows Server 2019 and lower versions. Disable all other protocols.
Windows Server 2022 and higher
Only activate TLS 1.2 and TLS 1.3 for the best security on Windows Server 2022 and newer versions. Disable all other protocols.
How do you know if TLS 1.2 is enabled on Windows Server?
Go to the website Qualys SSL Labs and fill in the domain you want to check. For example, the external URL of your Windows Server. In our example, the Exchange Server domain is added. Wait a couple of minutes for the report.
Scroll down to Configuration. You can see which TLS and SSL versions are enabled/disabled. The protocol TLS 1.2 is already enabled, which is excellent. The protocols TLS 1.1 and TLS 1.0 are also enabled; that’s not good. What you should see is that only TLS 1.2 is enabled.
How to enable TLS 1.2 on Windows Server?
Download IIS Crypto GUI from Nartac Software. It’s a portable version, and you don’t have to run the setup.
Start the application, and in the main window (Schannel), you can see which options are checked/unchecked.
Click on Templates. Here you can find the built-in templates. Click on the templates and read the description.
We recommend you load the template PCI 3.2. Check the checkbox Reboot, and click the Apply button.
Note: The Windows Server will reboot immediately.
Verify if TLS 1.2 is enabled on Window Server
Go to Qualys SSL Labs and fill in the domain to get the report. This time it’s showing us an overall rating A.
Scroll down to Configuration and check the Protocols. Only the protocol TLS 1.2 is enabled.
Start IIS Crypto, and you can see that only TLS 1.2 checkbox is selected in Server Protocols and Client protocols.
Everything looks great! Did the article enable TLS 1.2 on Windows Server help you?
Keep reading: Unable to install NuGet provider for PowerShell »
You learned how to Enable TLS 1.2 on Windows Server 2016/2019. You also learned how to disable the deprecated protocols. Check the domain in SSL Labs and look at the SSL report. If only TLS 1.2 is enabled, everything is OK. If it’s not, follow the steps shown in the article to enable only TLS 1.2. Don’t forget to rerun the SSL report at SSL Labs and verify that everything looks great.
Did you enjoy this article? You may also like SIGRed patch fails in Windows Server 2008 R2. Don’t forget to follow us and share this article.