How to Disable TLS 1.0 on Windows Server 2008 R2 Without Breaking RDP Connectivity


2 views

html

PCI DSS 3.1 mandates disabling TLS 1.0 for compliance, but Windows Server 2008 R2's Remote Desktop Protocol (RDP) historically relied on it. This creates a critical conflict for administrators needing both security and remote access.

RDP in Server 2008 R2 originally only supported TLS 1.0 for encrypted connections. Disabling it via registry (Schannel settings) would completely break RDP functionality. Microsoft later addressed this with updates, but the initial workarounds required careful configuration.

Before official patches, the partial solution involved editing the registry while preserving RDP functionality:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server] 
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

KB3080079 (August 2015 update) added TLS 1.1/1.2 support to RDP. After installing this update, you can safely disable TLS 1.0 while maintaining RDP connectivity:

  1. Install the update package (KB3080079)
  2. Verify RDP is using CredSSP by checking:
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\" -Name "SecurityLayer"

For environments where updates can't be applied immediately, you can force RDP to use its native encryption instead of TLS:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\" -Name "SecurityLayer" -Value 1

Note this disables Network Level Authentication (NLA), reducing security - only recommended as temporary measure.

After making changes, verify your configuration with:

Test-NetConnection -ComputerName localhost -Port 3389
nmap --script ssl-enum-ciphers -p 3389 [server_ip]

For PCI compliance scans, run:

openssl s_client -connect [server]:3389 -tls1
  • Upgrade to Server 2012 R2 or later for native TLS 1.2 RDP support
  • Implement RD Gateway with modern TLS configurations
  • Consider alternative remote access solutions if legacy system support is required

When PCI DSS 3.1 mandated disabling TLS 1.0, Windows Server administrators faced immediate RDP connectivity issues. The root cause lies in Terminal Services' legacy implementation - prior to Windows Server 2016, RDP exclusively used TLS 1.0 for encrypted connections when SSL was disabled in group policy.

Microsoft released KB3080079 (August 2015) which adds TLS 1.1/1.2 support to RDP. The update requires:

# PowerShell verification command
Get-Hotfix -Id KB3080079

After installing the update, configure the registry properly:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp]
"SecurityLayer"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

Contrary to early workarounds, Network Level Authentication remains functional when:

  • SecurityLayer is set to 2 (SSL)
  • Using CredSSP for authentication
  • Client machines support TLS 1.1+

For mass deployments, use this PowerShell snippet:

# Enable TLS 1.1/1.2 for RDP
$regPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"
Set-ItemProperty -Path $regPath -Name "SecurityLayer" -Value 2 -Type DWord

# Disable TLS 1.0 system-wide
$tls10Path = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0"
New-Item -Path $tls10Path -Force | Out-Null
New-Item -Path "$tls10Path\Server" -Force | Out-Null
New-Item -Path "$tls10Path\Client" -Force | Out-Null
Set-ItemProperty -Path "$tls10Path\Server" -Name Enabled -Value 0 -Type DWord
Set-ItemProperty -Path "$tls10Path\Client" -Name Enabled -Value 0 -Type DWord

Confirm successful configuration with:

  1. Wireshark analysis showing TLS 1.2 handshake
  2. Test-NetConnection with packet capture
  3. PCI ASV scanning tools