Disabling TLS 1.0 On Your Workstations
Intro
If you’ve ever read any of my previous Medium articles, you’ll know that I primarily work on DevOps in AWS, building and learning with Terraform as my playground. However, as one does, I have done a lot of work in Microsoft Windows server and Office 365, so I’ve picked up quite a few tips and tricks that can make life easier as an IT administrator.
Please feel free to send me a message and let me know if this works for you, or how you would change it up for my articles in the future!
The Why
Transport Layer Security (TLS) 1.0 is a security protocol that has been used since 1999. The purpose of TLS is to ensure that communication is secure and private, and it has evolved over time. Much like software, TLS has been updated pretty regularly over the last 20 years, and, like software, so have vulnerabilities for TLS. TLS 1.0 is particularly vulnerable, as all of the major tech companies have now discontinued support for it, even Microsoft.
In October, 2018, Microsoft announced that both TLS 1.0 and 1.1 would be deprecated for all Office 365 (now Microsoft 365) services. Thankfully, if you are using primarily Microsoft architecture, it is relatively easy for you to disable deprecated TLS protocols, whether by scripting or by Group Policy.
The How
There are two ways for you to disable deprecated TLS protocols in your environment: scripting, or using Group Policy.
Scripting
In my experience, the fastest and cleanest way to disable deprecated TLS protocols is with a quick script push. You can use command prompt, or PowerShell, but either will work. If you run the below script, TLS 1.0 will be forcibly disabled through a registry edit, and on your next reboot, TLS 1.0 will be unusable.
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" /v Enabled /t REG_DWORD /d 0 /freg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" /v Enabled /t REG_DWORD /d 0 /freg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" /v DisabledByDefault /t REG_DWORD /d 1 /freg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" /v DisabledByDefault /t REG_DWORD /d 1 /f
Looking at this script, you can see that both the server protocol, and the client protocol are disabled. Going even further, we are using the script to enable the “Disabled by Default” registry key, which means that TLS 1.0 is now disabled by default, rather than enabled by default. Any of your common vulnerability scanners should now scan your device and notice that your workstation has been patched.
Group Policy
If you’re using Active Directory and your computers are joined to a domain, you can use Group Policy Management on your domain controllers to create a policy that will allow you to disable TLS 1.0 on all of your machines. Similar to the script, the Group Policy will add registry edits that prevent TLS 1.0 from being enabled.
If you log into your domain controller, you will open Group Policy Management, create a new GPO and name it, open Computer Configuration, then Preferences > Windows Settings > Registry, then you will create 4 registry keys.
Your first key path is “SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client,” and your value name will be Enabled. You want to set this to a REG_DWORD, with a value of 0.
Your second key value is DisabledByDefault. You want this to be set to REG_DWORD as well, with a value of 1.
Your second key path will be “SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server.” As you can see, you are focusing on the TLS 1.0 server protocol this time.
Your first value will be Enabled. You want this to also be set to REG_DWORD, with a value of 0.
Finally, your last key value will be DisabledByDefault once more, with a value of 1.
Once your GPO has been created, you will want to apply it to your OUs, and add your computers to a security group for filtering purposes.
Done correctly, your computers should inherit the settings on their next GPUpdate or reboot, and TLS 1.0 should be disabled.
Conclusion
Security is one of my great passions, and making sure that my computers are secure is as important to me as anything else. It is critical for organizations and IT users to remain abreast of changes in the security landscape, staying ahead of any malicious actors looking to take advantage of exploits and vulnerabilities that exist in the wild.
Disabling deprecated TLS protocols is a critical step you can take in helping to secure your environment, reducing your attack surface and helping to prevent a potentially damaging breach.
If this article wasn’t enough to convince you, please feel free to read up on the Browser Exploit Against SSL/TLS, or BEAST. BEAST uses TLS’s own method of encryption against it, allowing malicious actors who intercept your traffic to break the ciphers that encrypt it, effectively rendering the method of encryption useless.
If you enjoyed reading this article, please feel free to check out my other Medium articles, and to visit my LinkedIn, where I am active and always willing to chat about all things AWS, and I’d never say no to a beer or a coffee.
