How to disable SSL 2.0, SSL 3.0, TLS 1.0 and TLS 1.1 in Windows 10

Подписаться 1 тыс.

Просмотров 65 тыс.

50% 1

This video shows you how to disable the support for older weaker SSL protocols, such as SSL 2.0, SSL 3.0, TLS 1.0 and TLS 1.1.
These weak SSL protocols which are regularly picked up on security audits as well as Cyber Essentials assessments, which can be easily remediated.
Go into regedit, then go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\
From there create a new Key for 'SSL 2.0', 'SSL 3.0', 'TLS 1.0' and 'TLS 1.1'
for instance: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0
Then, create a client and server key inside the protocol you are disabling
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client
Then create a DWORD value called 'Enabled' with the default value of 0. If the value has 1, then this enables the weaker cipher.
Email: info@isgovern.com
Connect with InfoSec Governance at:
► WEBSITE: isgovern.com
► LINKEDIN: / isgovern
► TWITTER: / isgovern

Наука

Опубликовано:

4 ноя 2019

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 60

@Good-Enuff-Garage 11 месяцев назад

this was the best instructional video I have seen in my life, more videos like this one on EVERYTHING please

@saikrishnavinjamuri4058 3 года назад

Thank you so much for the video.. watching this I disabled TLs old versions in a server.. thanks again

@Isgovern 3 года назад

Not a problem, thanks for watching. Glad we could help

@jay20061995 Год назад

Hello, If I Disable SSL 3.0 with only Server entry (without Client). Then what happens???

@mayhemresurrection 2 года назад

Thank you very much :-)

@Serpentar9000 2 года назад

Hello,thx for this video.Quick question-does this applies to rdp connection as well?

@Isgovern 2 года назад

Hello, yes it will, disabling these older SSL and TLS protocols will apply to everything that uses secure connections on the Windows device.

@infosec3592 2 года назад

I saw some comments about FTP in the video and if I had an ftp on iis and disabled vulnerable protocols, would that impact FTP functionality? Would I have to make any more changes to the settings?

@Isgovern 2 года назад

No it won't. even using ftps over ssl on newer systems won't cause any issues.

@reneekoebler663 2 месяца назад

@@Isgovern I was audited and these were open how can I test on a windows server since sslscan doesn't work?

@Isgovern 2 месяца назад

@@reneekoebler663 Hello, if you have a look in the registry and check the values. This website can help you learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs

@infosec3592 2 года назад

Congratulations for the explanation! Example: I have an application on IIS, I scanned it and it presented me with weak ciphers using vulnerable protocols such as SSLv2, SSLv3, TLS 1.0 and TLS 1.2. I managed to disable the protocols, will my application after disabling the protocols work normally?

@Isgovern 2 года назад

hello, yes it should, those older weaker protocols won't impact any communication on newer browsers/systems. unless your application is designed for those older protocols.

@aliceantony462 3 года назад

Hi, so is Dword, DisabledByDefault is not required is it? Cos I had to disable one of the Ciphers and I made the value for Enabled as 0, but that did not work

@Isgovern 3 года назад

Hello, yes creating the DisableByDefault key and setting the Enabled value to 0 is required to disable the specified protocol. Have you rebooted the computer? Have you checked for typos?

@aliceantony462 3 года назад

@@Isgovern - I did not try to analyse the issue further. I used DisabledByDefault key to remediate the vulnerability.

@Screew55 2 года назад

Hello, thx for the video. I created the Enabled and DisabledByDefault DWORD and set the Enabled -> 0 , DisabledByDefault->1 but, dont't work. If i check the Control Panel\Internet Option\Advanced, i see that the TLS 1.0 is active.

@Isgovern 2 года назад

Hello, if you are looking in the the Control Panel section, this is mainly for support for web browsers. The changing of the registry key is separate to this and will disable TLS on the actual machine. If you wanted to disable TLS support in the browser as well (which would stop the browser accessing any old sites with TLS 1.0/TLS 1.1) you can disable this option.

@slymaneem 2 года назад

what is the difference between server and client in the keyword. I adjustted like this video in my server. But Remote server couldnt connect to my webservice. what should I do ?

@Isgovern 2 года назад

Hello, when it comes to server and client. The server part is used when used with a web server or some kind of software which will be presenting information to the web browser (the client). Whereas the client part is used to tell the operating system or web browser what security ciphers/protocols can be used and accepted from the web server. Regarding your webservice, we can't really support you on this, but if its exposed on the internet you could test it against www.ssllabs.com/ssltest/ to see if it highlights anything

@marclewis6799 3 года назад

what did you use to do the sslscan, you were originally in powershell, then switched to something else to do the scan?

@Isgovern 3 года назад

Hello Marc, in the video we were using Kali Linux and using the tools 'sslscan', its primarily designed for Linux based systems, but you can also get it working on Windows. You can find their GitHub page here: github.com/rbsec/sslscan

@marclewis6799 3 года назад

@@Isgovern Thanks. I got the Kali Linux box setup, but now I get a connection refused, I assume it is firewall blocking, I setup a rule to allow, but doesn't seem to be working as the connection is still being refused or rejected

@Isgovern 3 года назад

@@marclewis6799 weird, not seen that before. Can you browse the site with a web browser over ssl?

@marclewis6799 3 года назад

@@Isgovern there is no site just trying to check a windows 10 machine and disable old protocols, once I verify it works I will implement the disablement of the protocols via group policy as you recommended. just trying to verify the disablement is working.

@alhakam70 7 месяцев назад

many thanks dear

@Isgovern 2 месяца назад

Not a problem

@deepamahadevan4803 2 года назад

Hi do we get successfully connected to TLS 1.0 ang TLS 1.1 in vulnerability report post changes done

@Isgovern 2 года назад

Hello, if you would like to check that TLS 1.0/TLS 1.1 has been disabled you can either run another vulnerability scan report via something like OpenVAS, Nessus Essentials, or via a OpenSSL command such as "openssl s_client -connect www.myhost.something:443 -tls1", however you would have to download and install OpenSSL on a Windows machine.

@Stan-mh7bf 3 года назад

Nice video mate! How does it correspond to settings that can be found in Control Panel? Specifically I mean under Control Panel\Network and Internet -> Internet Options -> Advanced tab-> Security -> Use SSL 3.0/Use TLS 1.0/Use TLS 1.1

@Isgovern 3 года назад

Hi, thanks for the feedback. The registry settings differ as they are configured at a computer/system level. Whereas under the Internet Options section, this is only telling the browser (primarily Internet Explorer/Edge) to only use the options which are specified. For example, if you were hosting a website and you wanted to disable TLS 1.0, you'd have to do this via the Registry as shown in the video. Hope this helps.

@UnderTheRaiN. Год назад

@@Isgovern yeah that helped alot

@jaybigboy34 3 года назад

Can you show us how to do this in a group policy for multiple computers? Thank you

@Isgovern 3 года назад

Hi, sure I'll do a quick video on this using group policy next week for you.

@jaybigboy34 3 года назад

@@Isgovern thank you

@bigodi182 Год назад

Thanks

@vinodkp1 2 года назад

Hi, I have disabled TLS 1.0 but still showing vulnerability in Nessus scan report

@Isgovern 2 года назад

Hello, have you disabled the client and server sections? Has the machine been rebooted? Check the results from Nessus and try and compare with your results.

@Bookemon-lo4ho Год назад

Should I select QWORD if it is for 64bit?

@UnderTheRaiN. Год назад

@ultraweapon1004 Год назад

I have found a website ,.in which TLS 1.0 enabled ,.Is this a Vulnerability? Can I report it?

@Isgovern Год назад

it's not really a vulnerability, you could recommend to them that they disable it and use tls 1.2 or higher instead and see what happens

@rcooper9110 2 месяца назад

Question - why are we adding the SSL components? Don't we want to use SSL 2.0 and 3.0?

@Isgovern 2 месяца назад

Hello, SSLv2 and SSLv3 are now deemed obsolete and insecure as defined by the industry. TLS 1.2 and above is now recommended to be used.

@TheChatterCafe 3 года назад

was it enabled or disabled when there were no directories and DWORDs ?

@Isgovern 3 года назад

Hello, by default if there are no entries, the values are enabled by default. Adding the keys with values will disable them.

@TheChatterCafe 3 года назад

@@Isgovern thank you.

@peternguyen9382 3 года назад

if we disable the SSL we ensure the web application hosted in the server will be accessed only via http (no https ). am i right to say that. right now i am struggling to config my web application on IIS that server only the http. thanks

@Isgovern 3 года назад

Hello Peter, in this video, we aren't exactly talking about disabling SSL, but disabling support for various SSL protocols. which the web server and web browser use to communicate and transfer content. If your web server has HTTPS setup then as long as you don't disable all the SSL protocols, you can still serve web traffic over HTTPS without any issues. Usually within IIS, your website will have HTTP and HTTPS bindings on the same configuration page of the web application. Hope this makes things a bit clearer.

@peternguyen9382 3 года назад

@@Isgovern Thanks so much.

@user-bb1jn9jf6n Год назад

😊

@user-bb1jn9jf6n Год назад

❤😂🎉😢😮😅😊

@Ayrzens 3 года назад

It always says cannot connect to this page (RU-vid) on my pc cuz it said it has an expired /unsafe TLS settings can u help

@Isgovern 3 года назад

Hello this could be a number of things, but sounds like there is something intercepting and forwarding your traffic to RU-vid. Have a look at any browser add-ons that you have installed, have a look at your router. Does this happen on every device?

@Ayrzens 3 года назад

InfoSec Governance no and I gave up on hope

@slingerjoe6724 2 года назад

rebooting the machine for this to work is flawed... what about when you want to disable tls 1.0 and 1.1 on a production server hosting multiple clients? you can't exactly reboot it. Surely Microsoft thought of this? I wouldn't be surprised if they didn't

@Isgovern 2 года назад

Yeah that's the problem with registry based systems. You may be able to try restarting the Web server service, but that Will also impact service. If it's production ideally you will have load balancers in place and multiple Web servers to keep service up during maintenance windows.

@goolark Год назад

Thank you. Выебла мозг эта десятая винда. Убрали управлеие протоколом SSL 2.0 из оснастки и что хояешь то и делай. Спасибо тебе добрый человек. сделал файл реестра теппрь просто импортирую его на проблемных машинах.