The Windows Small Business Server 2011 Essentials runs on top of Windows Server 2008 R2, which was an extremely popular server. It is still an extremely stable platform for handling DNS, serving up websites, and handling email servers. Despite being long past Microsoft’s stated EOL (end of life for support purposes), many such servers are still in use around the world at the time of this writing.
The original installation of Windows Small Business Server 2011 Essentials (and therefore Windows Server 2008 R2) installed TLS 1.1 protocol. This post is based on research and information I adapted mostly from Microsoft support websites on this topic as well as researching various other tips from the web.
TLS 1.1 is currently considered weak encryption. Google’s Chrome browser and Mozilla’s Firefox browser, just to name two, will not even let a page be viewed from a server utilizing TLS 1.1. Enabling and using the TLS 1.2 protocol on the server solves the issue. TLS 1.2 has improvements over previous versions of the TLS and SSL protocols that improve the level of security. Windows Server 2008 R2 doesn’t have TLS 1.2 enabled by default. However, it can be manually made available through system registry modifications.
The Step-by-Step Solution
Here is the step-by-step procedure to manually enable TLS 1.2 on Windows Server 2008 R2.
- Start the registry editor by clicking on Start and Run.
- Type in “regedit” into the Run field (without quotes).
- Highlight Computer at the top of the registry dialogue box.
- We need to edit the registry. Mistakes can wreak havoc on your computer. It is highly advised to make a backup.
- Backup the registry first by clicking on File and then on Export.
- Select a file location to save the registry file.
- Browse to the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols - Right click on the Protocols folder.
- Select New and then Key from the drop-down menu. This will create new folder.
- Rename this folder to TLS 1.2.
- Right click on the TLS 1.2 key and add two new keys underneath it.
- Rename the two new keys as:
Client
Server - Right click on the Client key.
- Select New and then DWORD (32-bit) Value from the drop-down list.
- Rename the DWORD to DisabledByDefault.
- Right-click the name DisabledByDefault.
- Select Modify… from the drop-down menu.
- Check that the Value data field is set to 0 and the Base is Hexadecimal. Click on OK.
- Create another DWORD for the Client key as you did in Step 13.
- Rename this second DWORD to Enabled.
- Right-click the name Enabled.
- Select Modify… from the drop-down menu.
- Check that the Value data field is set to 1 and the Base is Hexadecimal. Click on OK.
- Repeat steps 13 to 23 for the Server key (by creating two DWORDs: DisabledByDefault and Enabled, and their values underneath the Server key).
- Reboot the server.
Your server should now support TLS 1.2.
Oops – Need to Revert Back
If you make a mistake or something just doesn’t seem right, you can always revert back to your previous registry settings. Just open the Registry Editor and import the backup you made in step 6 above.
TLS 1.2 on Windows Server 2003
These instructions can’t be used on a Windows Server 2003 (IIS 6). Windows Server 2003 does not support the TLS 1.2 protocol.
Sample Registry Entries
Here is an example of the registry entries that were present in a server that worked properly. I was actually able to copy these into a text file with the .reg file extension and import these into a Windows Server 2008 R2 that was missing the appropriate parameters. Then I rebooted the server and the TLS 1.2 worked as needed:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client] "DisabledByDefault"=dword:00000001 "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client] "DisabledByDefault"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001