How to enable TLS 1.2 on Windows Server 2008 R2

by | Apr 6, 2022 | Email, Technical Help, Web Hosting

The Windows Small Business Server 2011 Essentials runs on top of Windows Server 2008 R2, which was an extremely popular server. It is still an extremely stable platform for handling DNS, serving up websites, and handling email servers. Despite being long past Microsoft’s stated EOL (end of life for support purposes), many such servers are still in use around the world at the time of this writing.

The original installation of Windows Small Business Server 2011 Essentials (and therefore Windows Server 2008 R2) installed TLS 1.1 protocol. This post is based on research and information I adapted mostly from Microsoft support websites on this topic as well as researching various other tips from the web.

TLS 1.1 is currently considered weak encryption. Google’s Chrome browser and Mozilla’s Firefox browser, just to name two, will not even let a page be viewed from a server utilizing TLS 1.1. Enabling and using the TLS 1.2 protocol on the server solves the issue. TLS 1.2 has improvements over previous versions of the TLS and SSL protocols that improve the level of security. Windows Server 2008 R2 doesn’t have TLS 1.2 enabled by default. However, it can be manually made available through system registry modifications.

The Step-by-Step Solution

Here is the step-by-step procedure to manually enable TLS 1.2 on Windows Server 2008 R2.

  1. Start the registry editor by clicking on Start and Run.
  2. Type in “regedit” into the Run field (without quotes).
  3. Highlight Computer at the top of the registry dialogue box.
  4. We need to edit the registry. Mistakes can wreak havoc on your computer. It is highly advised to make a backup.
  5. Backup the registry first by clicking on File and then on Export.
  6. Select a file location to save the registry file.
  7. Browse to the following registry key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
  8. Right click on the Protocols folder.
  9. Select New and then Key from the drop-down menu. This will create new folder.
  10. Rename this folder to TLS 1.2.
  11. Right click on the TLS 1.2 key and add two new keys underneath it.
  12. Rename the two new keys as:
    Client
    Server
  13. Right click on the Client key.
  14. Select New and then DWORD (32-bit) Value from the drop-down list.
  15. Rename the DWORD to DisabledByDefault.
  16. Right-click the name DisabledByDefault.
  17. Select Modify… from the drop-down menu.
  18. Check that the Value data field is set to 0 and the Base is Hexadecimal. Click on OK.
  19. Create another DWORD for the Client key as you did in Step 13.
  20. Rename this second DWORD to Enabled.
  21. Right-click the name Enabled.
  22. Select Modify… from the drop-down menu.
  23. Check that the Value data field is set to 1 and the Base is Hexadecimal. Click on OK.
  24. Repeat steps 13 to 23 for the Server key (by creating two DWORDs: DisabledByDefault and Enabled, and their values underneath the Server key).
  25. Reboot the server.

Your server should now support TLS 1.2.

Oops – Need to Revert Back

If you make a mistake or something just doesn’t seem right, you can always revert back to your previous registry settings. Just open the Registry Editor and import the backup you made in step 6 above.

TLS 1.2 on Windows Server 2003

These instructions can’t be used on a Windows Server 2003 (IIS 6). Windows Server 2003 does not support the TLS 1.2 protocol.

Sample Registry Entries

Here is an example of the registry entries that were present in a server that worked properly. I was actually able to copy these into a text file with the .reg file extension and import these into a Windows Server 2008 R2 that was missing the appropriate parameters. Then I rebooted the server and the TLS 1.2 worked as needed:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

CLICK HERE to find your domain name!   CLICK HERE to transfer your domain name!

Archives

Tags

24 hour (1) Accounting (1) Advertising (9) AdWare (1) Alex Johnson (2) Alignment (1) Android (2) Anti-Virus (1) Antivirus (1) Antrim Computer Repair and Service (3) APC Back-UPS (1) Appearance (2) Apple Mail (4) Apple Mobile Mail (2) Attachments (1) Audit (1) Authorized (1) Autoresponder (5) Availability (1) Badges (3) Bank Account (1) Bank Statement (1) Battery Backup (2) Bob Hill (1) Bookkeeper (1) Branding (5) Budget (2) Business (19) Business Management (1) Catalog (1) Charles Oropallo (1) CharlesWorks (37) Cherryl Jensen (1) Chrome (1) Cloud (1) Code (1) Communicating (1) Competition (1) Computer (2) Computer Cache (1) Computer Security (1) Constant Contact (1) Consultation (1) Contact Information (2) Content (1) Content Management (19) Content Management System (1) Copiers (1) Copy Machine (1) Coronavirus (2) Courteous (1) COVID-19 (2) Credibility (6) Credit Card (1) Credit Card Processing (1) CSS (8) Customer Service (2) Design (39) Design Expertise (1) Desktop (1) Dialup (1) DirectAdmin (1) Directions (1) DIVI (2) DNS (1) Do-it-Yourself (1) Documentation (1) Domains (17) Domain Transfers (5) E-Commerce (1) Email (61) Email Lists (4) Email Management (2) Email marketing (3) Etiquette (3) Eudora 6 (1) Exchange (1) Expanding (1) Financial (1) Finish (1) Firefox (1) Fonts (1) Forms (2) Forms Protection (1) Fraud (2) Galaxy S4 (1) General Info (1) Gmail (1) GoDaddy (1) Google (1) Google Adwords Certified Partner (1) Google Chrome (2) Groups (1) Happy Holidays (1) Hardware Help (1) Hill Specialty Networks (1) Hosting (1) Images (1) IMAP (1) include (1) Infected (1) Information (22) insert pages (1) Internet Browsing Errors (1) Internet Consultant (1) Internet Explorer (1) Keywords (2) Laptop (1) Legibility (1) Linux (5) Logging on (1) Macintosh (1) Mail 6.0 (1) Mail 2011 (2) Make-Over (1) Malicious (1) Malware (1) Marketing (6) Matt Burke (3) MDaemon (3) MelbourneIT (2) Merchant (1) Microsoft (1) Microsoft Edge (1) Microsoft Hosted Exchange (5) Microsoft Live (2) Mobile Email Setup (1) Monadnock Region (1) Mozilla Firefox (2) MySQL (1) Nathan Wesley (1) Netscape (1) Netscape Messenger (1) Office Copiers (1) OfficeLive (1) Online (1) Outlook (8) Outlook 2010 (2) Outlook Express (1) PayPal (1) Pay Per Click (2) PC (1) Personal (1) Peter Harris (1) Peter Harris Creative (1) Phishing (2) PHP (2) plugins (1) Pop Email (1) Popularity (1) Portfolio (1) Power Grid Failure (1) PPC (1) Prevent Fraud (1) Privacy (1) Private (1) Product (6) Professional (4) Projects (2) Protect (1) Protection (1) Quality (2) QuickBooks (1) Reconciliation (1) Reduce Risk (1) Register (1) Reliability (2) Renew (1) Reseller (2) Resolution (1) Restrict User Access (1) Results (1) Review (2) Risk (1) Robin Snow (1) Roundcube (1) Safe (1) Samsung (2) Scam (10) Scammer (9) Search (1) Search and Replace (1) Search Engine Optimization (6) Search Engines (9) Security (15) Security Risk (1) Selling (1) SEO (1) Servers (2) Service (8) Shopping Cart (1) Site (1) SmarterMail (9) Social Engineering (1) Social Networking (1) Software (1) Solutions for Today (1) Spam (1) Spam Filtering (14) Spammer (1) Spyware (2) SquirrelMail (1) SSL (7) Statistics (2) Stats (2) Stone Pond Technology (1) Storage (1) Support (1) Tablet (1) Target Market (1) Testimonials (1) The CW Corner (1) Thom Little (1) Thom Little Associates (1) Thunderbird (3) Thunderbird 10 (2) TLD (1) Topic (1) Top Level Domains (3) Transaction (2) Transfer Data (1) Transfer Funds (1) Typography (1) Update (2) Uploading (1) UPS System (2) Up to Date (1) Virus (2) Viruses (1) Vista (1) Web (1) Web-Over (1) Web Development (76) Web Hoster (1) Web Hosting (2) Web Hosting Company (1) Webmail (8) Web Mail (1) Webmaster (10) Web Presence (23) Website (91) Website Development (1) Web Stats (1) Web terms (1) Web Writing (1) Windows 7 (2) Windows Mail (5) Windows XP (1) WooCommerce (2) WordPress (65) WordPress Updates (1) Working Remote (2) Writing (1)