How to Disable TLS 1.0 for Secure RDP Connections in Windows Server 2012 Without Breaking Remote Access


2 views

Windows Server 2012 presents a unique challenge when it comes to disabling TLS 1.0 for RDP connections. Unlike Server 2008 which had the "Remote Desktop Session Host Configuration" GUI tool, Server 2012 requires registry modifications to achieve this security hardening while maintaining remote access capability.

The proper way to configure RDP protocols in Server 2012 is through the Windows Registry. Here's the complete procedure:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp]
"SecurityLayer"=dword:00000002
"UserAuthentication"=dword:00000001

For administrators managing multiple servers, here's a PowerShell script that automates the configuration:

# Disable TLS 1.0 server-side
New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" -Force | Out-Null
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" -Name "Enabled" -Value 0 -Type DWord

# Configure RDP security layer
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "SecurityLayer" -Value 2
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "UserAuthentication" -Value 1

# Restart services to apply changes
Restart-Service -Name TermService -Force

After making these changes, verify the configuration with these commands:

# Check TLS 1.0 status
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" | Select-Object Enabled

# Verify RDP security settings
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" | Select-Object SecurityLayer, UserAuthentication

For domain environments, you can enforce these settings through Group Policy:

1. Create a new GPO and link it to the appropriate OU
2. Navigate to: Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security
3. Enable "Require use of specific security layer for remote (RDP) connections" and set to "SSL"
4. Enable "Require user authentication for remote connections by using Network Level Authentication"
5. Under Computer Configuration > Policies > Administrative Templates > Network > SSL Configuration Settings, disable TLS 1.0

Before implementing these changes, ensure your client machines support TLS 1.1/1.2. For older clients, you may need to:

  • Update Remote Desktop clients
  • Enable TLS 1.1/1.2 on client machines
  • Consider keeping one management server with TLS 1.0 enabled as a temporary fallback

Many administrators face a critical security-compliance paradox when dealing with Windows Server 2012 Remote Desktop Protocol (RDP) configurations. While PCI DSS requirements mandate disabling TLS 1.0, Windows Server 2012 originally shipped with RDP supporting only TLS 1.0 by default - creating an apparent deadlock between compliance and functionality.

Unlike Windows Server 2008 which had GUI tools for this configuration, Server 2012 requires direct registry editing. The protocol negotiation occurs through these registry keys:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]

To disable TLS 1.0 while enabling newer protocols:

# Disable TLS 1.0
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" 
-Name Enabled -Value 0 -PropertyType DWORD -Force

# Enable TLS 1.2
New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" -Force
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" 
-Name Enabled -Value 1 -PropertyType DWORD -Force

After making these changes, verify RDP is still functional while TLS 1.0 is disabled:

Test-NetConnection -ComputerName localhost -Port 3389
$TlsSettings = Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\*"
$TlsSettings | Select-Object PSPath,Enabled

For enhanced security, ensure Network Level Authentication (NLA) is enabled, as this provides encryption before establishing the full RDP session:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" 
-Name UserAuthentication -Value 1

For domain-joined systems, consider implementing these settings through Group Policy:

  1. Computer Configuration → Administrative Templates → Network → SSL Configuration Settings
  2. Set "SSL Cipher Suite Order" to prioritize TLS 1.2-compatible cipher suites
  3. Enable "Disable SSL 3.0" and "Disable TLS 1.0" policies

If connectivity issues occur after these changes:

  • Temporarily re-enable TLS 1.0 for troubleshooting
  • Consider upgrading to Server 2016/2019 with native TLS 1.2 support
  • Implement RD Gateway as an intermediary with modern protocol support