Restricting Transport Layer Security to TLS 1.2

HTTPS can use different versions of Transport Layer Security (TLS) to encrypt the data.

To determine the specific version of Transport Layer Security (TLS) to be used for communication via HTTPS, you have to configure additional settings in the operating system.

We recommend always using the latest version of TLS supported by Windows and Servicetrace. This is currently TLS 1.2.

Configuration via IIS Crypto (GUI)

We recommend using the IIS Crypto application to set the necessary registry parameters.

If you do not have permission to install software on your system, follow the link to the Microsoft documentation in the section Configuration via the registry.

First download the IIS Crypto GUI application from NARTAC Software > Downloads and run the installer.

In the Schannel view, click the Best Practises button to select only secure layer security. Confirm with OK.

Deselect all the checkboxes aside from

Server Protocols

TLS 1.2

Client Protocols

TLS 1.2

Ciphers

AES 256/256

Hashes

SHA 256

SHA 384

SHA 512

Key Exchanges

Diffie-Hellman

PKCS

ECDH

Click Apply and restart your computer so that the changes to the registry take effect.

Configuration via the registry

You will find the registration settings for Transport Layer Security (TLS) in the Windows registry under

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

Refer to the Microsoft documentation Transport Layer Security (TLS) registry settings for information on how to proceed.

After correct configuration, only the Enabled key under Server and Client under TLS 1.2 should have a value other than zero. All other values of all other SChannels contained in the registry should have 0x00000000 (0) as the value of the Enabled key.