In this article, we will look at how to disable support for legacy versions of the Transport Layer Security protocol in Windows using group policies. TLS protocol versions 1.0 and 1.1 are considered obsolete and insecure. If you have migrated all your services to TLS 1.2 or TLS 1.3, you can disable legacy protocol support on Windows clients and servers using a GPO.
A list of supported SSL/TLS protocols on a particular server can be obtained using the SSL Labs online services.
.png)
On Windows, you can list the enabled TLS versions for the browser in the Internet Options (inetcpl.cpl). This screenshot shows that TLS 1.0, TLS 1.1, TLS 1.2 and TLS 1.3 are enabled. When establishing a connection to the server, the maximum version of TLS supported by both the client and the server is selected for encryption.
.png)
If you disable support for older versions of TLS, users will not be able to connect to legacy services. Therefore, we recommend that you first test all settings on pilot groups of computers and servers.
The list of TLS/SSL protocols enabled on the Internet Options tab on the client can be configured using the Turn Off Encryption Support Group Policy setting under GPO: Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Explorer Control Panel -> advanced page.
Enable the policy (Enabled), and in the Secure Protocol combinations drop-down list, select which TLS/SSL versions to allow clients to use.
.png)
This GPO setting corresponds to the SecureProtocols setting in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings registry key.
You will have to restart your computer to apply the new GPO settings. Open Internet Options again and make sure that only the versions of TLS that you allowed in the GPO are available. The user will not be able to change these settings (pay attention to the inscription Some settings are managed by your system administrator).
.png)
Unfortunately, only TLS 1.3 and TLS 1.2 cannot be left enabled here, there is simply no such parameter in the GPO. In addition, it does not disable support for older versions of TLS 1.0 and TLS 1.1 on the side of your Windows Server (in the same IIS, Exchange).
Therefore, it is better to disable certain versions of TLS directly through the registry. With the help of GPO, you can distribute the necessary registry settings to computers (for more details, see the article Configuring registry settings on computers with GPO).
To disable TLS 1.0 on Windows for both the client and the server, you need to make the following settings in the registry:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\ TLS 1.0 \Client] "DisabledByDefault"=dword:00000001 "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\ TLS 1.0 \Server] "DisabledByDefault"=dword:00000001 "Enabled"=dword:00000000
By analogy, other protocols are disabled. It is enough to replace the highlighted path in the registry with SSL 2.0, SSL 3.0, TLS 1.1, etc.
To force TLS 1.2 to be enabled, the following entries must be made:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\ TLS 1.2 \Client]
"DisabledByDefault"=dword: 00000000
"Enabled"=dword: 00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\ TLS \Protocols 1.2 \Server]
"DisabledByDefault"=dword: 00000000
"Enabled"=dword: 00000001
Thus, the following picture should appear in the GPO in the Computer Configuration -> Preferences -> Windows Settings -> Registry section.
.png)
You need to restart Windows to apply the settings.
In addition to changing the settings for available TLS protocols in the registry, you need to enable the use of TLS 1.2 for NET 3.5 and 4.x applications, as well as for WinHTTP. The same Outlook uses encryption settings for WinHTTP.
Enable system encryption protocols for .Net 3.5 and 2.0:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727] " SystemDefaultTlsVersions
"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727] " SchUseStrongCrypto
"=dword:00000001
For .Net 4.x:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] "
SystemDefaultTlsVersions
"=dword:00000001
Enable TLS 1.2 for WinHTTP:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings \WinHttp] "
DefaultSecureProtocols"=dword:00000800
On Windows Server, you can use the ISS Crypto GUI utility (https://www.nartac.com/Products/IISCrypto/Download) to view the SCHANNEL settings.
.png)
And you can also use admx - https://github.com/Crosse/SchannelGroupPolicy