Both TLS and SSL are both used for web security. They are both cryptographic protocols that encrypt your data and authenticate a connection when transporting your data via the internet. The TLS is the short form for transport layer security and it is the current version of SSL. We have had three previous versions of TLS: TLS 1.0, TLS 1.1, and TLS 1.2 with the current version now TLS 1.3. In this guide, I will be showing you How to Disable TLS 1.0, TLS 1.1 and TLS 1.2 in Windows Using GPO. You may want to read about how to use TLS/SSL Certificates to Secure Web Server on Windows, How to enable or disable TLS 1.2 on a Windows Server via the Registry and PowerShell and how to Enable DNS over TLS in Windows 11
Steps to Disable TLS 1.0, TLS 1.1 and TLS 1.2 in Windows Using GPO
Group Policy is a security tool that is used to apply security settings to users and computers. Group Policy allows administrators to define security policies for users and for computers. Kindly refer to the articles below;
1. Launch Group Policy to Disable TLS Older Versions
Open Run on your Domain Controller and launch the Open Group Policy Management (gpmc.msc).
2. Create a GPO in the Domain Controller
Navigate to your Domain Controller and right-click the Domain Controller or the Domain itself. Select Create a GP in this domain and Link it here.
3. Rename the GPO to ‘Disable_TLS 1.0_TLS 1.1_TLS 1.2’ in Windows
Rename the New GPO to Disable_TLS 1.0_TLS 1.1_TLS 1.2 and click on ‘OK’. Please see How to check the BIOS version on Windows
This will create a new group policy that will be linked to the organization unit.
4. Edit the gpo ‘Disable_TLS 1.0_TLS 1.1_TLS 1.2’
Right-click the Policy and click on Edit.
5. Create a Registry Item in Group Policy
Navigate to Computer Configurations > Preferences > Windows Settings > Registry.
You can create a new registry by clicking on the blank space and selecting New > Registry Item.
6. Create a Registry Properties
Create a new Registry Properties: on the Action, drop-down select Create and on the Key Path navigate here:
You will now create a new registry entry for each protocol that includes the server and client.
7. Force a group policy update to check changes to affect the TLS Disable change
Open command prompt and enter this command gpupdate /force and hit the enter key. This will update the current changes made on the GPO.
8. Reconfirm the protocols created from the registry
Open the registry editor and navigate to confirm the protocols you have created:
FAQs on why you should disable TLS 1.0, TLS 1.1 and TLS 1.2
Disabling older TLS versions is essential for security. TLS 1.0 and TLS 1.1 are known to have vulnerabilities that make them susceptible to attacks, such as BEAST and POODLE.
TLS 1.2, while more secure, may still have weaknesses that could be exploited in the future. Disabling these older versions helps protect your data and communications from potential threats.
Disabling older TLS versions forces both the client and server to use more secure protocols like TLS 1.3 or TLS 1.2 with modern cypher suites. These newer versions are designed with improved security features and algorithms. Thereby making it significantly harder for attackers to exploit vulnerabilities and decrypt encrypted data. It helps ensure that your communication remains confidential and tamper-proof.
While disabling older TLS versions improves security, it can potentially impact compatibility with older systems or outdated browsers that do not support newer TLS versions. It’s essential to assess your user base and the systems interacting with your services. In some cases, you may need to provide alternative access methods or encourage users to update their software to maintain compatibility while ensuring security.
I hope you found this blog post on how to Disable TLS 1.0, TLS 1.1 and TLS 1.2 in Windows Using GPO Interesting and helpful. In case you have any questions do not hesitate to ask in the comment section.