Windows Server TLS 1.2 CheckHere it is:
wget https://raw.githubusercontent.com/microsoft/azure-devops-tls12/main/AzureDevOpsTls12Analysis.ps1 -outfile AzureDevOpsTls12Analysis.ps1
.\AzureDevOpsTls12Analysis.ps1
.\Mitigation-NetFramework.ps1
It's confusing for sure. With all the regedits documented everywhere and what not. Here is one page filled with regedits:
https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs
I do have personal powershell script with regedit gets/sets. But it seems like Sysadmins want a GUI and I'm finding out are afraid of the shell/powershell.
The DevOps Azure team finally came up with a powershell script that will check the server and will create a customized script that changes the server to the recommended values.
The goto for a GUI is IISCrypto.exe. It is nice to have a GUI for reference as it has the Protocols, Ciphers, Hashes and Key-Exchanges.
For reference, here is the security Protocol through history:
- PCT 1.0 (1995)
- SSL 2.0 (1995)
- SSL 3.0 (1996)
- TLS 1.0 (1999)
- TLS 1.1 (2006)
- TLS 1.2 (2008)
- TLS 1.3 (2018)
Then there is the fact that the protocols have different settings depending on if:
- the server OS is acting as a server or as a client.
- the protocol is disabled or disabled-by-default.
- the protocol is enforced or just available.
- the protocol is set for the OS or for DOTNET.
- the Key-Exchange order preference.
Notes