AnsweredAssumed Answered

Microsoft Windows 2012 r2 disable TLS 1.0 and 1.1

Question asked by David Kim on Feb 2, 2018
Latest reply on Mar 1, 2018 by David Kim

Hi guys,

I'm in the process of disabling TLS 1.0 and 1.1 on Windows 2012 R2 OS by adding the registry key using IISCrypto.  I've verified the required registry keys are present on the registry and restart the servers as required.

We have 1 server hosting a web application which was scanned by Qualys.  I have verified both TLS 1.0 and 1.1 has been disabled on the server registry key but Qualys still showed both TLS 1.0 and 1.1 vulnerability on port 443.

 

So I ran NMAP on the server and the result showed TLS 1.0 and 1.1 on port 443.  However, the Cipher preference shows as Client.  All other web servers I ran NMAP against and have disabled both TLS using the same registry setting have shown only TLS 1.2 on port 443, but the cipher preference results shows Server.

 

So I ran NMAP on port 3389 on this same server but only shows TLS 1.2 with Cipher preference Server.

 

what is the difference between cipher preference result of Client vs Server? Any IIS expert who can direct me to force this web server to use cipher preference of Server rather than Client on port 443?  I've attached the NMAP scan of the webserver scan on port 443 and 3389.  Any help would be appreciated as I have been googling cipher preference without finding much relevant results.

Attachments

Outcomes