best response confirmed byBillClark (Copper Contributor)
replied toBillClark
Feb 28 202302:14 PM - edited Feb 28 202302:18 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Feb 28 202302:14 PM - edited Feb 28 202302:18 PM
Solution
Hi @BillClark
This might help too:
https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/demystifying-schannel/ba-p/2...
To answer your question, no, registry keys for supported TLS versions do not need to be present in
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
in order to be enabled. I have registry keys only for TLS 1 and 1.1 in that location because I disabled them, so I'm using TLS 1.2 and 1.3 for everything else, without having their keys present in there.
When you clean install Windows, that registry location is empty, so it doesn't tell us anything about whether a TLS version is enabled or disabled. Also, I've used IIS crypto before and it has bugs or design problems.
P.S It's recommended to disable any previous TLS/SSL versions prior to 1.2 because they have known vulnerabilities.
I've listed all the insecure ciphers, TLS 1, TLS 1.1 and MD5 hashing algorithm registry locations in a CSV file on my Github repository to disable them easily: https://github.com/HotCakeX/Harden-Windows-Security/blob/main/Payload/Registry.csv