How to Configure TLS and SSL Protocol Hardening on Windows Server 2012 R2

How to Configure TLS and SSL Protocol Hardening on Windows Server 2012 R2

Windows Server 2012 R2 ships with support for outdated and vulnerable SSL/TLS protocol versions (SSL 2.0, SSL 3.0, TLS 1.0) and weak cipher suites that are incompatible with modern security standards. Compliance frameworks including PCI DSS 3.2+, HIPAA, and NIST 800-52 Rev 2 require disabling these legacy protocols and restricting cipher suites to strong, forward-secret algorithms. This guide walks through disabling SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.1 via the Windows registry, configuring the cipher suite priority order, and verifying the configuration with external tools.

Prerequisites

• Local Administrator access on the Windows Server 2012 R2 system
• A maintenance window—disabling legacy TLS protocols will break clients that only support them
• An inventory of all clients and applications that connect to this server, with their TLS capabilities confirmed
• A registry backup before making changes

Step 1: Back Up the Registry

Before modifying TLS settings, back up the relevant registry hive:

reg export "HKLMSYSTEMCurrentControlSetControlSecurityProvidersSCHANNEL" `
    C:TLS-BackupSCHANNEL-before.reg

mkdir C:TLS-Backup
reg export "HKLMSYSTEMCurrentControlSetControlSecurityProvidersSCHANNEL" `
    "C:TLS-BackupSCHANNEL-before.reg"

reg export "HKLMSOFTWAREPoliciesMicrosoftCryptographyConfigurationSSL" `
    "C:TLS-BackupSSL-CipherOrder-before.reg"

Step 2: Disable SSL 2.0

SSL 2.0 has critical vulnerabilities and has been deprecated for decades. Disable it for both client and server roles:

# Disable SSL 2.0 Server
$path = "HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 2.0Server"
New-Item -Path $path -Force | Out-Null
Set-ItemProperty -Path $path -Name "Enabled" -Value 0 -Type DWord
Set-ItemProperty -Path $path -Name "DisabledByDefault" -Value 1 -Type DWord

# Disable SSL 2.0 Client
$path = "HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 2.0Client"
New-Item -Path $path -Force | Out-Null
Set-ItemProperty -Path $path -Name "Enabled" -Value 0 -Type DWord
Set-ItemProperty -Path $path -Name "DisabledByDefault" -Value 1 -Type DWord

Step 3: Disable SSL 3.0

SSL 3.0 is vulnerable to the POODLE attack (CVE-2014-3566). Disable it completely:

# Disable SSL 3.0 Server
$path = "HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 3.0Server"
New-Item -Path $path -Force | Out-Null
Set-ItemProperty -Path $path -Name "Enabled" -Value 0 -Type DWord
Set-ItemProperty -Path $path -Name "DisabledByDefault" -Value 1 -Type DWord

# Disable SSL 3.0 Client
$path = "HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 3.0Client"
New-Item -Path $path -Force | Out-Null
Set-ItemProperty -Path $path -Name "Enabled" -Value 0 -Type DWord
Set-ItemProperty -Path $path -Name "DisabledByDefault" -Value 1 -Type DWord

Step 4: Disable TLS 1.0

TLS 1.0 is deprecated per PCI DSS and RFC 8996. Disable it after verifying all clients support TLS 1.2:

# Disable TLS 1.0 Server
$path = "HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.0Server"
New-Item -Path $path -Force | Out-Null
Set-ItemProperty -Path $path -Name "Enabled" -Value 0 -Type DWord
Set-ItemProperty -Path $path -Name "DisabledByDefault" -Value 1 -Type DWord

# Disable TLS 1.0 Client
$path = "HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.0Client"
New-Item -Path $path -Force | Out-Null
Set-ItemProperty -Path $path -Name "Enabled" -Value 0 -Type DWord
Set-ItemProperty -Path $path -Name "DisabledByDefault" -Value 1 -Type DWord

Step 5: Disable TLS 1.1

TLS 1.1 is also deprecated per RFC 8996. Modern browsers and clients all support TLS 1.2:

# Disable TLS 1.1 Server
$path = "HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.1Server"
New-Item -Path $path -Force | Out-Null
Set-ItemProperty -Path $path -Name "Enabled" -Value 0 -Type DWord
Set-ItemProperty -Path $path -Name "DisabledByDefault" -Value 1 -Type DWord

# Disable TLS 1.1 Client
$path = "HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.1Client"
New-Item -Path $path -Force | Out-Null
Set-ItemProperty -Path $path -Name "Enabled" -Value 0 -Type DWord
Set-ItemProperty -Path $path -Name "DisabledByDefault" -Value 1 -Type DWord

Step 6: Explicitly Enable TLS 1.2

Ensure TLS 1.2 is explicitly enabled (it is enabled by default on WS2012R2 but confirm this):

# Enable TLS 1.2 Server
$path = "HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.2Server"
New-Item -Path $path -Force | Out-Null
Set-ItemProperty -Path $path -Name "Enabled" -Value 1 -Type DWord
Set-ItemProperty -Path $path -Name "DisabledByDefault" -Value 0 -Type DWord

# Enable TLS 1.2 Client
$path = "HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.2Client"
New-Item -Path $path -Force | Out-Null
Set-ItemProperty -Path $path -Name "Enabled" -Value 1 -Type DWord
Set-ItemProperty -Path $path -Name "DisabledByDefault" -Value 0 -Type DWord

Step 7: Configure Cipher Suite Priority Order

Windows Server 2012 R2 includes weak cipher suites by default. Configure the cipher suite order via Group Policy to use only strong, forward-secret ciphers. Navigate to:

Computer Configuration → Administrative Templates → Network → SSL Configuration Settings → SSL Cipher Suite Order

Enable the policy and paste the following ordered cipher suite list (prioritizing ECDHE for forward secrecy, AES-256-GCM for authenticated encryption):

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256

Apply the cipher order via registry (equivalent to the GPO setting):

$cipherOrder = "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256"

Set-ItemProperty -Path "HKLM:SOFTWAREPoliciesMicrosoftCryptographyConfigurationSSL0010002" `
    -Name "Functions" -Value $cipherOrder -Type String

Step 8: Disable RC4 and Other Weak Ciphers

Explicitly disable RC4 (vulnerable to numerous attacks), DES, and NULL cipher suites:

$weakCiphers = @("RC4 128/128","RC4 40/128","RC4 56/128","RC4 64/128","DES 56/56","NULL","Triple DES 168")
foreach ($cipher in $weakCiphers) {
    $path = "HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphers$cipher"
    New-Item -Path $path -Force | Out-Null
    Set-ItemProperty -Path $path -Name "Enabled" -Value 0 -Type DWord
    Write-Host "Disabled cipher: $cipher"
}

Step 9: Reboot and Verify

A reboot is required for all SCHANNEL changes to take effect:

Restart-Computer -Confirm

After the reboot, verify the configuration using IIS Crypto (Nartac Software) or the online SSL Labs test. From the command line, test which protocols are accepted:

# Test TLS negotiation using openssl (if available on a Linux test machine)
# openssl s_client -connect SERVER01:443 -ssl3    (should fail)
# openssl s_client -connect SERVER01:443 -tls1    (should fail)
# openssl s_client -connect SERVER01:443 -tls1_2  (should succeed)

# Verify registry settings are in place
Get-ItemProperty "HKLM:SYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsTLS 1.0Server"

Summary

Disabling legacy SSL/TLS protocols and weak cipher suites on Windows Server 2012 R2 eliminates a broad class of cryptographic vulnerabilities. After completing these steps, the server accepts only TLS 1.2 connections using strong ECDHE cipher suites, satisfying the encryption-in-transit requirements of PCI DSS, HIPAA, and most other compliance frameworks. Test all applications and services that use HTTPS, LDAPS, or any other TLS-protected protocol immediately after the reboot to confirm compatibility before deploying this configuration in production.