7,023 questions
Anybody please help in this regard, as this is urgent requirement to mitigate the TLS1.0 & TLS1.1
Safely disabling TLS through GPO
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(307.2, 15%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
Techshan
241
Reputation points
Hello Team,
In our environment, Users and Computers OU contain one GPO in which user settings policies is set to allow
Recent Vulnerability scans for few servers, report that these particular servers are vulnerable to TLS 1.0. TLS 1.1 and now we need to disable TLS 1.0 & 1.1 in these servers safely through GPO.
How to apply the setting to remove the vulnerability in these servers only.
As of now , other servers are not being reported as vulnerable even though the same existing GPO is applied to them also.
Our quick need is to get rid of these particular servers exposed to these TLS 1.0 & 1.1 vulnerabilites
Any help is greatly appreciated
Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Windows for business | Windows Server | User experience | Other
20,219 questions
5 answers
Sort by: Most helpful
-
-
Limitless Technology 39,931 Reputation points2022-08-09T14:16:26.123+00:00 Hi there,
You can use Group policy preference to disable or enable TLS 1.0 by setting this registry key mentioned on this link https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings
This article explains the supported registry setting information for the Windows implementation of the Transport Layer Security (TLS) protocol and the Secure Sockets Layer (SSL) protocol through the Schannel Security Support Provider (SSP). The registry subkeys and entries covered in this topic help you administer and troubleshoot the Schannel SSP, specifically the TLS and SSL protocols.
Disabling SSL 2.0, SSL 3.0, TLS 1.0 protocols in Domain Controllers https://learn.microsoft.com/en-us/answers/questions/288924/disabling-ssl-20-ssl-30-tls-10-protocols-in-domain.html
I hope this information helps.
-----------------------------------------------------------------------------------------------------------------------------------
--If the reply is helpful, please Upvote and Accept it as an answer--
-
Techshan 241 Reputation points
2022-08-09T14:22:02.893+00:00 Hi,
Thanks for your reply but the question here is already an existing GPO(User settings) is applied for these servers through which TLS1.0 & 1.1 are caught . How to resolve this vulnerabilities without disturbing other servers in the same OU through new GPO?
-
Techshan 241 Reputation points
2022-08-11T06:46:27.19+00:00 Found that the vulnerabilities are exposed due to the below setting
We are planning to create a new GPO, link to Users and Computers OU with high precedence and apply only to the affected servers through security filtering in which TLS 1.0 & TLS 1.1 GPP settings are to be disabled to mitigate the vulnerabilities
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous2022-08-17T06:19:29.48+00:00 Hello, SwaminathanShanmugam-8182
Thank you for your update and sharing. I am so glad that the issue has been resolved.
If the answer from the LimitlessTechnology-2700 engineer is helpful, it is highly appreciate you can click "Accept Answer" under his answer to close this thread.
Thank you for your understanding.
Best Regards,
Daisy Zhou -
Techshan 241 Reputation points
2022-08-27T09:23:17.847+00:00 Hello,
When we linked new GPO in Users and Computers OU and added the test server in the security filtering for this GPO, it did not work and the TLS 1.0 & 1.1 keys in registry show Enabled as 1.
How to remediate this setting?Any help is greatly appreciated
Sign in to comment -
-
Techshan 241 Reputation points
2022-08-28T14:01:50.993+00:00 Hello everyone,
Finally the goal is achieved when we linked new GPO to OU where Server resides and denied the old existing GPO for the particular server through security filtering in Users and Computers OU
