Disabling TLS 1.0 and 1.1 on DEVOS Servers with SSL Certificates

It is generally best practice to use SSL certificates on all DEVOS servers - particularly servers that are available to any public internet user. This ensures that all traffic including login information is passed over the public internet encrypted instead of readable text. Servers that use SSL certificates to secure their content use a protocol called Transport Layer Security, or TLS. In recent years, the industry has deprecated certain previous versions of TLS, so it is recommended that these older versions be disabled on DEVOS servers.

NOTE: If you do not yet have a certificate installed on your server, see the following article for instructions on installing one here:
Installing an SSL Certificate on DEVOS

Checking if Older TLS Versions are Enabled

The current version of TLS is 1.2. Older versions of TLS such as 1.0 and 1.1 should be disabled to ensure your DEVOS server gets the highest security grade when evaluated. If your server is accessible on the public internet, there are a number of websites that will test your server for free. One such website is the internet security company GlobalSign. Simply enter your website address into the search form and run the test. Once the the test is complete, your server will get a grade. Just like in school, you want your server to get an A. If it doesn't, you will need to examine the results of the test to see what prevented the server from acing the test.

Either click on the MORE INFO link or scroll down to the Configuration section to see the results of the test.

If either TLS 1.0 or 1,1 say "Yes", they will be highlighted to alert you to this being a problem. You must then disable the deprecated protocols and reboot the server. After you do this, you should run the test again to ensure that the grade improves.

Disabling Deprecated Protocols

Follow these steps to disable TLS 1.0 and/or TLS 1.1:

Connect to your server either remotely (RDP) or with a keyboard mouse and monitor.

Back up your registry by following these steps:

1. From the Start menu, type regedit.exe in the search box, and then press Enter.
   
2. If you are prompted for an administrator password or for confirmation, type the password or provide confirmation.
   
3. In Registry Editor, locate and click the registry key or subkey that you want to back up.Click File > Export.
   
4. In the Export Registry File dialog box, select the location to which you want to save the backup copy, and then type a name for the backup file in the File name field.
   
5. Click Save.
   

ALERT: The following steps will change your registry. This can be dangerous for anyone not familiar with server registry settings. If you have any problems, you will need the registry backup file you saved to restore the registry to its previous settings.

Open a text file or download the text file attached to this support article and move it to your DEVOS server.

If you are creating a new text file, copy and paste the following lines of registry information:

1. Windows Registry Editor Version 5.00
2. 
   
3. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
   
4. "DisabledByDefault"=dword:00000001
   
5. "Enabled"=dword:00000000
   
6.  
   
7. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
   
8. "DisabledByDefault"=dword:00000001
   
9. "Enabled"=dword:00000000
   
10.  
    
11. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
    
12. "DisabledByDefault"=dword:00000001
    
13. "Enabled"=dword:00000000
    
14.  
    
15. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
    
16. "DisabledByDefault"=dword:00000001
    
17. "Enabled"=dword:00000000
    
18.  
    
19. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
    
20. "DisabledByDefault"=dword:00000001
    
21. "Enabled"=dword:00000000
    
22.  
    
23. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
    
24. "DisabledByDefault"=dword:00000001
    
25. "Enabled"=dword:00000000
    
26.  
    
27. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
    
28. "DisabledByDefault"=dword:00000001
    
29. "Enabled"=dword:00000000
    
30.  
    
31. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
    
32. "DisabledByDefault"=dword:00000001
    
33. "Enabled"=dword:00000000
    

Save the file with the file extension ".reg" and close the text editor.

If you are using the downloaded file attached here, save the file on the server and change the extention to ".reg".

Double click the file to run the registry commands. This will add the proper registry entries to your DEVOS server to disable TLS 1.0 and 1.1.

After adding the registry entries, reboot the DEVOS server and run the security test again to ensure that the protocols have been disabled.

 

• Related Articles

• Installing an SSL Certificate on DEVOS

  DEVOS: INSTALLING SSL CERTIFICATES Security is an increasingly important concern for every enterprise. This is an important issue for any applications running on web servers particularly when those servers are in the cloud or accessible on the public ...

• Protecting the DEVOS System from Security and Other Third-Party Solutions

  Many DEVOS customers opt to install their own internet and/or anti-virus software on their servers to protect them from unwanted attacks or hacking. For most installations, this will present no problems to the normal operations of the DEVOS system. ...

• Special considerations for DEVOS servers on a domain

  When installing a DEVOS server on a domain, there are a number of special considerations that need to be taken into account in order to ensure that the server functions properly. This guide will help you ensure that your server is properly configured ...

• Backing up your DEVOS Content (also applies to DV Express)

  When you purchase a DEVOS server as either software to be installed on your own hardware or a hardware server from Discover Video with DEVOS preinstalled, the hardware and all regular maintenance to it and the operating system are the responsibility ...

• NIC Teaming on DEVOS Servers with Cisco Meraki Network Switches

  On some DEVOS servers - particularly those installed on servers with 1 Gbps network interface cards (NICs) - the multiple NICs may be teamed. When teamed through the Windows Server operating system's Server Manager, the standard method Discover Video ...