Introduction

TLS 1.2 introduced significant security enhancements over its predecessors. It improved upon the handshake process, offered better algorithm negotiation between clients and servers, and incorporated stronger cryptographic cipher suites such as AES-GCM and SHA-256. These advancements provide a more secure communication channel, protecting against various attack vectors that could compromise data confidentiality and integrity. Furthermore, adhering to TLS 1.2 is often a requirement for compliance with various industry regulations and security standards, such as the Payment Card Industry Data Security Standard (PCI DSS). Modern web browsers and online services are increasingly phasing out support for older TLS versions, making TLS 1.2 a necessary standard for continued connectivity.

CyberQP supports it's agent on older Windows OS Versions (Server 2008 R2, Server 2012, Server 2012 R2) which may not have been updated to support TLS 1.2.  The agent will be updated to only support TLS 1.2 or higher moving forward.

This article is designed to assist you in determining if your Customer's older Server OS is configured to communicate with TLS 1.2.  You may have other applications or services that have required TLS 1.2, and this might already be enabled for your customer's server.

Server 2008 R2 and Server 2012
Server 2012 R2

Checking and enabling the TLS 1.2 Configuration

Server 2008 R2 (SP1 is required) and Server 2012

On Windows Server 2008 R2, TLS 1.2 is not enabled by default. Therefore, the verification process involves checking if the TLS 1.2 key and its Client and Server subkeys exist under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols. 

If these keys are present, then within the Client and Server subkeys, the Enabled DWORD value should be set to 1 and the DisabledByDefault DWORD value should be set to 0. If the TLS 1.2 key or its subkeys do not exist, TLS 1.2 is likely not enabled.

Enabling TLS 1.2 on Windows Server 2008 R2 or Server 2012 requires Service Pack installation and manual creation of the necessary registry keys (or use of the Easy Fix provided by Microsoft.)

Download and install the Service Pack for the proper OS from this page
https://support.microsoft.com/en-us/topic/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-winhttp-in-windows-c4bd73d2-31d7-761e-0178-11268bb10392 

https://catalog.update.microsoft.com/search.aspx?q=kb3140245

To Manually update the registry follow these steps

1. Open Regedit
2. Navigate to

    

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

3. Create a new key named TLS 1.2
4. Under this TLS 1.2 key, create two subkeys:
   1. Client
   2. Server
   3. Within both the Client and Server subkeys, create two DWORD values:
      1. Enabled
         1. Value: 1 (Hexadecimal)
      2. DisabledByDefault
         1. Value 0 (Hexadecimal)

Plan to restart the computer after you apply this update.

Server 2012 R2

On Windows Server 2012 R2, TLS 1.2 is often enabled by default on a fresh installation, however if the Server was upgraded from an older OS, it is advisable to check.

The verification process involves checking if the TLS 1.2 key and its Client and Server subkeys exist under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols. 

If these keys are present, then within the Client and Server subkeys, the Enabled DWORD value should be set to 1 and the DisabledByDefault DWORD value should be set to 0. If the TLS 1.2 key or its subkeys do not exist, TLS 1.2 is likely not enabled.

Alternatively you can use a registry check via CMD Prompt (as admin)

reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" /v Enabled
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" /v DisabledByDefault
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" /v Enabled
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" /v DisabledByDefault

The output should show Enabled with a value of 0x1 and DisabledByDefault with a value of 0x0 for both Client and Server.

If those values do not exist, or if they are set to different values, you can use the following commands or manually update/add the registry values.

Command Line (CMD as Administrator)

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client /v Enabled /t reg_dword /d 1
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client /v DisabledByDefault /t reg_dword /d 0
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server /v Enabled /t reg_dword /d 1
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server /v DisabledByDefault /t reg_dword /d 0

Manually update the registry follow these steps

1. Open Regedit
2. Navigate to

    

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

3. Create a new key named TLS 1.2
4. Under this TLS 1.2 key, create two subkeys:
   1. Client
   2. Server
   3. Within both the Client and Server subkeys, create two DWORD values:
      1. Enabled
         1. Value: 1 (Hexadecimal)
      2. DisabledByDefault
         1. Value 0 (Hexadecimal)

Plan to restart the computer after you apply this update.