How to Enable TLS 1.2 on Windows Server
Learn how to enable TLS 1.2 on Windows Server and disable the older TLS protocol versions. You want secure communications going through your Windows Server, and to do that, you have to enable TLS 1.2 and disable the older TLS versions. If you have SSL protocols active, you should disable these too. In this article, we will enable TLS 1.2 on Windows Server 2016.
What is Transport Layer Security?
Transport Layer Security (TLS), and its now-deprecated predecessor, Secure Sockets Layer (SSL), are cryptographic protocols designed to provide communications security over a computer network. Several versions of the protocols find widespread use in applications such as web browsing, email, instant messaging, and voice over IP (VoIP). Websites can use TLS to secure all communications between their servers and web browsers.
At the moment of writing, only TLS 1.3 and TLS 1.2 are approved. The protocol TLS 1.3 is not available to enable in Windows Server. It means that it will show as disabled if you are going to generate a report. To have the Windows Server’s best security, activate only TLS 1.2 and disable all other protocols.
To make it easier to read, have a look at the table. We recommend the following protocols to be enabled/disabled:
| Protocol | Status | Enable | Disable |
|---|---|---|---|
| TLS 1.3 | Not available | – | – |
| TLS 1.2 | Active | ✓ | ☓ |
| TLS 1.1 | Deprecated | ☓ | ✓ |
| TLS 1.0 | Deprecated | ☓ | ✓ |
| SSL 3 | Deprecated | ☓ | ✓ |
| SSL 2 | Deprecated | ☓ | ✓ |
How do you know if TLS 1.2 is enabled on Windows Server?
Go to the website Qualys SSL Labs and fill in the domain that you want to check. For example, the external URL of your Windows Server. In our example, the Exchange Server domain is added. Wait a couple of minutes for the report.
Scroll down to Configuration. You can see which TLS and SSL versions are enabled/disabled. The protocol TLS 1.2 is already enabled, that’s great. The protocols TLS 1.1 and TLS 1.0 are enabled as well; that’s not good. What you should see is that only TLS 1.2 is enabled.
How to enable TLS 1.2 on Windows Server?
Download IIS Crypto GUI from Nartac Software. It’s a portable version, and you don’t have to run the setup.
Start the application, and in the main window (Schannel), you can see which options are checked/unchecked.
Click on Templates. Here you can find the built-in templates. Click on the templates and read the description.
We recommend you to load the template PCI 3.2. Check the checkbox Reboot, and click the Apply button. Note that the Windows Server will reboot immediately!
Verify if TLS 1.2 is enabled on Window Server
Go to Qualys SSL Labs and fill in the domain to get the report. This time it’s showing us an overall rating A.
Scroll down to Configuration and check the Protocols. Only the protocol TLS 1.2 is enabled.
Start IIS Crypto, and you can see that only TLS 1.2 checkbox is selected in Server Protocols and Client protocols.
Everything is looking great!