How to disable TLS 1.0 and below on IIS.
The most effective way to ensure your server is secure is to disable TLS 1.0 and below on your web-server. Please note, disabling TLS 1.0 on your website will most likely mean most XP/IE 6.0 users are no longer supported for secure sessions.
IIS
We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 7.0 running on Microsoft Windows Server 2008. IIS 7.0
IIS requires some registry tweaks and a server reboot. Microsoft have a support article at https://support.microsoft.com/en-us/help/187498/how-to-disable-pct-1.0,-ssl-2.0,-ssl-3.0,-or-tls-1.0-in-internet-information-services, which deals with this topic. All you need to do is modify/create a registry DWORD value.
HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols
In the protocols directory, you will most likely have an SSL 2.0 key already. Create keys called 'SSL 3.0' and ‘TLS 1.0’ alongside it if needed. Under those, create Server keys and inside them a DWORD value called ‘Enabled’ and assign it a value of 0.
Once that is done reboot the server for the changes to take effect.
0 Comments