0

Joys of Server 2012 R2 TLS Defaults in June 2022

Windows Server 2012 R2 was a great platform and was very widly adopted.  Unlike it’s less popular step-sister, Server 2012.  At least the R2 product had a start button, rather than the start pixel….

However, it really does show its age when viewed under a modern security lens.  Unsurprisingly, things have changed from a security perspective over the last decade. Not all of the Server 2012 R2 default settings have kept pace with the current security recommendations.

Below you can see the SSLlabs.com TLS rating of a default Server 2012 R2 installation that has all Windows updates installed.

As you can see the rating is not stellar.  SSLLabs graded the system at their "C" category.  This is due to issues such as SSL3 still enabled.  Not good.  Really not good.

Fully Patched Windows Server 2012 R2 System - Graded By SSLLabs as "C"

There are multiple issues to remediate.

  • Disable SSL3
  • Disable TLS 1.0
  • Disable TLS 1.1
  • Increase DH
  • Disable RC4

Let's work though these issues one by one and see how the rating improves.

Step1 – Schannel Protocols Disabled

  • Disabled SSL3
  • Disabled TLS 1.0
  • Disabled TLS 1.1
  • Enabled TLS 1.2

Fully Patched Windows Server 2012 R2 System - Required TLS 1.2 - Graded By SSLLabs as "B"

Fully Patched Windows Server 2012 R2 System - Required TLS 1.2 - Graded By SSLLabs as "B"

Step 2 – Disable Weak Diffie Hellman

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]
"ServerMinKeyBitLength"=dword:00000800

Fully Patched Windows Server 2012 R2 System - Required TLS 1.2 & Updated DH - Graded By SSLLabs as "B"

Fully Patched Windows Server 2012 R2 System - Required TLS 1.2 & Updated DH - Graded By SSLLabs as "B"

Step 3 – Disable Weak Ciphers RC4  & WDigest

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest]
"UTF8SASL"=dword:00000001
"Debuglevel"=dword:00000000
"UTF8HTTP"=dword:00000001
"Negotiate"=dword:00000000
"DigestEncryptionAlgorithms"="3des,rc4"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128]
"Enabled"=dword:00000000

image

image

Step 4 – Disable Weak Cipher 3DES

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168]
"Enabled"=dword:00000000

image

image

This has left 14 ciphers enabled after 3DES and RC4 has been disabled.

Step 5 – Review Ciphers

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_NULL_SHA256
TLS_RSA_WITH_NULL_SHA
SSL_CK_RC4_128_WITH_MD5
SSL_CK_DES_192_EDE3_CBC_WITH_MD5

Edited the list:

image

For more on the ciphers – see this post.

Reference – Full SSLLabs Scan Default Settings

Fully Patched Windows Server 2012 R2 System - Full Details

Rhoderick Milne [MSFT]

Leave a Reply

Your email address will not be published. Required fields are marked *