AnsweredAssumed Answered

Disabling SSL/early TLS on Windows Server - Do we need to DisabledByDefault?

Question asked by Jerry Norton on Jan 11, 2016
Latest reply on Jan 11, 2016 by ramil

We've been doing the commonly recommended steps to disable SSL and early TLS in the Windows registry:

 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

set Enabled to False   and so on as described here:

https://support.microsoft.com/en-us/kb/187498https://support.microsoft.com/en-us/kb/187498


But Qualys is still showing the protocols as being active.   


Do we need to also create a subkey with DisabledByDefault set to TRUE?


How is Qualys determining that the protocol is still enabled?   Is it using the so-called "Hello" command?


Does anyone have an idea on how to independently verify if a given version of SSL or TLS is enabled?


Thanks for help everyone, I really appreciate it!!!!




Outcomes