At this point SSLv3 is somewhat old news, but there are still businesses that have SSLv3 (and worse, sometimes SSLv2) accepted on their client machines, this can lead to a multitude of security vulnerabilities that can be easily exploited (i.e. POODLE). The purpose of this post is to show you how to disable the insecure protocols on standalone workstations or via Group Policy if you are on a corporate network with a domain controller.
Method 1 – Standalone Workstation
- Open Control Panel
- Click on Internet Options
- Click on the Advanced tab
- Scroll all the way to the bottom and un-check Use SSL 2.0 and Use SSL 3.0
- If you can get away with it and know you’ll be okay without it, I would also recommend un-checking Use TLS 1.0 as well just for good measure
Method 2 – Group Policy
Note: This example is done on a Windows Server 2008 R2 domain controller using the Group Policy Management Console, I can not verify if the methods are identical on alternate versions of the Windows Server operating system.
- Open the Run prompt on your server (Windows + R), type in gpmc.msc, then click OK
- Once the console opens, create a new Group Policy and name it something appropriate (i.e. Disable Client SSL, or include it in a blanket Network Security Policy)
- Apply this policy to the appropriate OUs and security groups, I’d recommend applying this to the entire domain. Next, right-click on the policy and click Edit
- Navigate to User Configuration>Policies>Administrative Templates>Windows Components>Internet Explorer>Internet Control Panel>Advanced Page
- Double-click on Turn off encryption support, set it to Enabled, and make sure Use TLS 1.0, TLS 1.1, and TLS 1.2 is selected under the options
- Just like Method 1, if you know that you don’t need to support TLS 1.0 on your client machines, go ahead and choose Use TLS 1.1 and TLS 1.2 under the options instead
- Click OK, then close out of the Group Policy Management Editor and the Management Console
Thank you for reading, I hope this has helped you out!