Security | Vulnerability Scans and Assessment

How to Disable TLS 1.0, TLS 1.1 and TLS 1.2 in Windows Using GPO

How to Disable TLS 1.0, TLS 1.1 and TLS 1 - banner

Both TLS and SSL are both used for web security. They are both cryptographic protocols that encrypt your data and authenticate a connection when transporting your data via the internet. The TLS is the short form for transport layer security and it is the current version of SSL. We have had three previous versions of TLS: TLS 1.0, TLS 1.1, and TLS 1.2 with the current version now TLS 1.3. In this guide, I will be showing you How to Disable TLS 1.0, TLS 1.1 and TLS 1.2 in Windows Using GPO. You may want to read about how to use TLS/SSL Certificates to Secure Web Server on Windows, How to enable or disable TLS 1.2 on a Windows Server via the Registry and PowerShell and how to Enable DNS over TLS in Windows 11

Steps to Disable TLS 1.0, TLS 1.1 and TLS 1.2 in Windows Using GPO

Group Policy is a security tool that is used to apply security settings to users and computers. Group Policy allows administrators to define security policies for users and for computers. Kindly refer to the articles below;

1. Launch Group Policy to Disable TLS Older Versions

Open Run on your Domain Controller and launch the Open Group Policy Management (gpmc.msc).

How-to-Disable-TLS-1.0-TLS-1.1-and-TLS-1.2-in-Windows-Using-GPO-gpmc

2. Create a GPO in the Domain Controller

Navigate to your Domain Controller and right-click the Domain Controller or the Domain itself. Select Create a GP in this domain and Link it here.

Create GPO
Create GPO

3. Rename the GPO to ‘Disable_TLS 1.0_TLS 1.1_TLS 1.2’ in Windows

Rename the New GPO to Disable_TLS 1.0_TLS 1.1_TLS 1.2 and click on ‘OK’. Please see How to check the BIOS version on Windows

How-to-Disable-TLS-1.0-TLS-1.1-and-TLS-1.2-in-Windows-Using-GPO-New-GPO

This will create a new group policy that will be linked to the organization unit.

Linked Group Policy Object

4. Edit the gpo ‘Disable_TLS 1.0_TLS 1.1_TLS 1.2’

Right-click the Policy and click on Edit.

How-to-Disable-TLS-1.0-TLS-1.1-and-TLS-1.2-in-Windows-Using-GPO-New-GPO3

5.  Create a Registry Item in Group Policy

Navigate to Computer ConfigurationsPreferences > Windows Settings > Registry.

You can create a new registry by clicking on the blank space and selecting New > Registry Item.

How-to-Disable-TLS-1.0-TLS-1.1-and-TLS-1.2-in-Windows-Using-GPO-Registry

6. Create a Registry Properties

Create a new Registry Properties: on the Action, drop-down select Create and on the Key Path navigate here:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client
How-to-Disable-TLS-1.0-TLS-1.1-and-TLS-1.2-in-Windows-Using-GPO-Protocols

You will now create a new registry entry for each protocol that includes the server and client.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server
How-to-Disable-TLS-1.0-TLS-1.1-and-TLS-1.2-in-Windows-Using-GPO-New-Key
How-to-Disable-TLS-1.0-TLS-1.1-and-TLS-1.2-in-Windows-Using-GPO-For-all-Protocols

7.  Force a group policy update to check changes to affect the TLS Disable change

Open command prompt and enter this command gpupdate /force and hit the enter key. This will update the current changes made on the GPO.

How-to-Disable-TLS-1.0-TLS-1.1-and-TLS-1.2-in-Windows-Using-GPO-gpupdate

8.     Reconfirm the protocols created from the registry

Open the registry editor and navigate to confirm the protocols you have created:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

How-to-Disable-TLS-1.0-TLS-1.1-and-TLS-1.2-in-Windows-Using-GPO-protocols-created

FAQs on why you should disable TLS 1.0, TLS 1.1 and TLS 1.2

Why should I disable TLS 1.0, TLS 1.1, and TLS 1.2?

Disabling older TLS versions is essential for security. TLS 1.0 and TLS 1.1 are known to have vulnerabilities that make them susceptible to attacks, such as BEAST and POODLE.

TLS 1.2, while more secure, may still have weaknesses that could be exploited in the future. Disabling these older versions helps protect your data and communications from potential threats.

How does disabling older TLS versions improve security?

Disabling older TLS versions forces both the client and server to use more secure protocols like TLS 1.3 or TLS 1.2 with modern cypher suites. These newer versions are designed with improved security features and algorithms. Thereby making it significantly harder for attackers to exploit vulnerabilities and decrypt encrypted data. It helps ensure that your communication remains confidential and tamper-proof.

Will disabling TLS 1.0, TLS 1.1, and TLS 1.2 affect compatibility with older systems or browsers?

While disabling older TLS versions improves security, it can potentially impact compatibility with older systems or outdated browsers that do not support newer TLS versions. It’s essential to assess your user base and the systems interacting with your services. In some cases, you may need to provide alternative access methods or encourage users to update their software to maintain compatibility while ensuring security.

I hope you found this blog post on how to Disable TLS 1.0, TLS 1.1 and TLS 1.2 in Windows Using GPO Interesting and helpful. In case you have any questions do not hesitate to ask in the comment section.

Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x