Saturday 3 July 2021

How to disable SS3 and enable TLS 1.2

Before disabling SSL 2.0, SSL 3.0 and TLS 1.0 protocols in Domain Controllers, we need to ensure all machines and apps in your AD domain do not use SSL 2.0, SSL 3.0 and TLS 1.0 protocols and all machines and apps use TLS 1.1 or TLS 1.2.

We can enable TLS 1.1 or TLS 1.2 and disable SSL 2.0, SSL 3.0 and TLS 1.0 protocols via GPO registry on all machines, in this way, Windows machines and Microsoft Apps will use TLS 1.1 or TLS 1.2.

To disable SSL 3.0, Open the Registry Editor and run it as administrator.

1. In the Registry Editor window, go to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\

2. In the navigation tree, right-click on the SSL 3.0 key, and in the pop-up menu, click New > Key.

3. Name the key, Client.

4. In the navigation tree, right-click on the SSL 3.0 key again, and in the pop-up menu, click New > Key.

5. Name the key, Server.

6. In the navigation tree, under SSL 3.0, right-click on Client, and in the pop-up menu, click New > DWORD (32-bit) Value.

7. Name the value DisabledByDefault and hit enter.

8. Ensure that is shows 0x00000000 (1) under the Data column. If it doesn't, right click and select Modify and enter 1 as the Value data.  

9. In the navigation tree, under SSL 3.0, right-click on Server, and in the pop-up menu, click New > DWORD (32-bit) Value.

10. Name the value Enabled and hit enter.

11. Ensure that it shows 0x00000000 (0) under the Data column (it should by default). If it doesn't, right-click and select Modify and enter 0 as the Value data.

Restart your Windows server.

You have successfully disabled the SSL v3 protocol.

For instructions about disabling browser support for the SSL v3 protocol, see Disabling Browser Support for the SSL 3.0.

Enable the TLS 1.2 by executing the following powers shell script

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force | Out-Null 

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'Enabled' -value '1' -PropertyType 'DWord' -Force | Out-Null 

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null

Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)