Skip Navigation

IIST-SV-000153: Use TLS to maintain confidentiality

An IIS 10.0 web server must maintain the confidentiality of controlled information during transmission through the use of an approved Transport Layer Security (TLS) version.
To check compliance with IIST-SV-000153, complete the following steps:
  1. Access the IIS 10.0 web server.
  2. Access an administrator command prompt and type
    regedit <enter>
    to access the server's registry.
  3. Navigate to: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server.
  4. Verify that
    DisabledByDefault
    has a REG_DWORD value of
    0
    .
  5. Navigate to the following paths and verify that
    DisabledByDefault
    has a REG_DWORD value of
    1
    and
    Enabled
    has a REG_DWORD value
    0
    :
    • HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server
    • HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server
    • HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server
    • HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server
If any of the registry paths do not exist or are configured with the wrong value, your server is not compliant.
If your server is not compliant, complete the following steps:
  1. Access the IIS 10.0 web server.
  2. Access an administrator command prompt and type
    regedit <enter>
    to access the server's registry.
  3. Navigate to: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server.
  4. Configure
    DisabledByDefault
    to have a REG_DWORD value of
    0
    .
  5. Navigate to the following paths and configure
    DisabledByDefault
    to have a REG_DWORD value of
    1
    and
    Enabled
    to have a REG_DWORD value
    0
    :
    • HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server
    • HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server
    • HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server
    • HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server