No video
How to disable SSL 2.0, SSL 3.0, TLS 1.0 and TLS 1.1 in Windows 10
Рет қаралды 65,496
4 жыл бұрынThis video shows you how to disable the support for older weaker SSL protocols, such as SSL 2.0, SSL 3.0, TLS 1.0 and TLS 1.1.
These weak SSL protocols which are regularly picked up on security audits as well as Cyber Essentials assessments, which can be easily remediated.
Go into regedit, then go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\
From there create a new Key for 'SSL 2.0', 'SSL 3.0', 'TLS 1.0' and 'TLS 1.1'
for instance: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0
Then, create a client and server key inside the protocol you are disabling
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client
Then create a DWORD value called 'Enabled' with the default value of 0. If the value has 1, then this enables the weaker cipher.
Email: info@isgovern.com
Connect with InfoSec Governance at:
► WEBSITE: isgovern.com
► LINKEDIN: / isgovern
► TWITTER: / isgovern
@Good-Enuff-Garage Жыл бұрын
this was the best instructional video I have seen in my life, more videos like this one on EVERYTHING please
@saikrishnavinjamuri4058 3 жыл бұрын
Thank you so much for the video.. watching this I disabled TLs old versions in a server.. thanks again
@Isgovern 3 жыл бұрын
Not a problem, thanks for watching. Glad we could help
@mayhemresurrection 2 жыл бұрын
Thank you very much :-)
@infosec3592 2 жыл бұрын
Congratulations for the explanation! Example: I have an application on IIS, I scanned it and it presented me with weak ciphers using vulnerable protocols such as SSLv2, SSLv3, TLS 1.0 and TLS 1.2. I managed to disable the protocols, will my application after disabling the protocols work normally?
@Isgovern 2 жыл бұрын
hello, yes it should, those older weaker protocols won't impact any communication on newer browsers/systems. unless your application is designed for those older protocols.
@Serpentar9000 2 жыл бұрын
Hello,thx for this video.Quick question-does this applies to rdp connection as well?
@Isgovern 2 жыл бұрын
Hello, yes it will, disabling these older SSL and TLS protocols will apply to everything that uses secure connections on the Windows device.
@alhakam70 8 ай бұрын
many thanks dear
@Isgovern 2 ай бұрын
Not a problem
@Stan-mh7bf 3 жыл бұрын
Nice video mate! How does it correspond to settings that can be found in Control Panel? Specifically I mean under Control Panel\Network and Internet -> Internet Options -> Advanced tab-> Security -> Use SSL 3.0/Use TLS 1.0/Use TLS 1.1
@Isgovern 3 жыл бұрын
Hi, thanks for the feedback. The registry settings differ as they are configured at a computer/system level. Whereas under the Internet Options section, this is only telling the browser (primarily Internet Explorer/Edge) to only use the options which are specified. For example, if you were hosting a website and you wanted to disable TLS 1.0, you'd have to do this via the Registry as shown in the video. Hope this helps.
@UnderTheRaiN. Жыл бұрын
@@Isgovern yeah that helped alot
@jay20061995 Жыл бұрын
Hello, If I Disable SSL 3.0 with only Server entry (without Client). Then what happens???
@bigodi182 Жыл бұрын
Thanks
@infosec3592 2 жыл бұрын
I saw some comments about FTP in the video and if I had an ftp on iis and disabled vulnerable protocols, would that impact FTP functionality? Would I have to make any more changes to the settings?
@Isgovern 2 жыл бұрын
No it won't. even using ftps over ssl on newer systems won't cause any issues.
@reneekoebler663 3 ай бұрын
@@Isgovern I was audited and these were open how can I test on a windows server since sslscan doesn't work?
@Isgovern 3 ай бұрын
@@reneekoebler663 Hello, if you have a look in the registry and check the values. This website can help you learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs
@Screew55 2 жыл бұрын
Hello, thx for the video. I created the Enabled and DisabledByDefault DWORD and set the Enabled -> 0 , DisabledByDefault->1 but, dont't work. If i check the Control Panel\Internet Option\Advanced, i see that the TLS 1.0 is active.
@Isgovern 2 жыл бұрын
Hello, if you are looking in the the Control Panel section, this is mainly for support for web browsers. The changing of the registry key is separate to this and will disable TLS on the actual machine. If you wanted to disable TLS support in the browser as well (which would stop the browser accessing any old sites with TLS 1.0/TLS 1.1) you can disable this option.
@aliceantony462 3 жыл бұрын
Hi, so is Dword, DisabledByDefault is not required is it? Cos I had to disable one of the Ciphers and I made the value for Enabled as 0, but that did not work
@Isgovern 3 жыл бұрын
Hello, yes creating the DisableByDefault key and setting the Enabled value to 0 is required to disable the specified protocol. Have you rebooted the computer? Have you checked for typos?
@aliceantony462 3 жыл бұрын
@@Isgovern - I did not try to analyse the issue further. I used DisabledByDefault key to remediate the vulnerability.
@jaybigboy34 3 жыл бұрын
Can you show us how to do this in a group policy for multiple computers? Thank you
@Isgovern 3 жыл бұрын
Hi, sure I'll do a quick video on this using group policy next week for you.
@jaybigboy34 3 жыл бұрын
@@Isgovern thank you
@slymaneem 3 жыл бұрын
what is the difference between server and client in the keyword. I adjustted like this video in my server. But Remote server couldnt connect to my webservice. what should I do ?
@Isgovern 3 жыл бұрын
Hello, when it comes to server and client. The server part is used when used with a web server or some kind of software which will be presenting information to the web browser (the client). Whereas the client part is used to tell the operating system or web browser what security ciphers/protocols can be used and accepted from the web server. Regarding your webservice, we can't really support you on this, but if its exposed on the internet you could test it against www.ssllabs.com/ssltest/ to see if it highlights anything
@marclewis6799 3 жыл бұрын
what did you use to do the sslscan, you were originally in powershell, then switched to something else to do the scan?
@Isgovern 3 жыл бұрын
Hello Marc, in the video we were using Kali Linux and using the tools 'sslscan', its primarily designed for Linux based systems, but you can also get it working on Windows. You can find their GitHub page here: github.com/rbsec/sslscan
@marclewis6799 3 жыл бұрын
@@Isgovern Thanks. I got the Kali Linux box setup, but now I get a connection refused, I assume it is firewall blocking, I setup a rule to allow, but doesn't seem to be working as the connection is still being refused or rejected
@Isgovern 3 жыл бұрын
@@marclewis6799 weird, not seen that before. Can you browse the site with a web browser over ssl?
@marclewis6799 3 жыл бұрын
@@Isgovern there is no site just trying to check a windows 10 machine and disable old protocols, once I verify it works I will implement the disablement of the protocols via group policy as you recommended. just trying to verify the disablement is working.
@deepamahadevan4803 2 жыл бұрын
Hi do we get successfully connected to TLS 1.0 ang TLS 1.1 in vulnerability report post changes done
@Isgovern 2 жыл бұрын
Hello, if you would like to check that TLS 1.0/TLS 1.1 has been disabled you can either run another vulnerability scan report via something like OpenVAS, Nessus Essentials, or via a OpenSSL command such as "openssl s_client -connect www.myhost.something:443 -tls1", however you would have to download and install OpenSSL on a Windows machine.
@peternguyen9382 3 жыл бұрын
if we disable the SSL we ensure the web application hosted in the server will be accessed only via http (no https ). am i right to say that. right now i am struggling to config my web application on IIS that server only the http. thanks
@Isgovern 3 жыл бұрын
Hello Peter, in this video, we aren't exactly talking about disabling SSL, but disabling support for various SSL protocols. which the web server and web browser use to communicate and transfer content. If your web server has HTTPS setup then as long as you don't disable all the SSL protocols, you can still serve web traffic over HTTPS without any issues. Usually within IIS, your website will have HTTP and HTTPS bindings on the same configuration page of the web application. Hope this makes things a bit clearer.
@peternguyen9382 3 жыл бұрын
@@Isgovern Thanks so much.
@user-bb1jn9jf6n Жыл бұрын
😊
@user-bb1jn9jf6n Жыл бұрын
❤😂🎉😢😮😅😊
@Ayrzens 4 жыл бұрын
It always says cannot connect to this page (KZfaq) on my pc cuz it said it has an expired /unsafe TLS settings can u help
@Isgovern 3 жыл бұрын
Hello this could be a number of things, but sounds like there is something intercepting and forwarding your traffic to KZfaq. Have a look at any browser add-ons that you have installed, have a look at your router. Does this happen on every device?
@Ayrzens 3 жыл бұрын
InfoSec Governance no and I gave up on hope
@rcooper9110 3 ай бұрын
Question - why are we adding the SSL components? Don't we want to use SSL 2.0 and 3.0?
@Isgovern 2 ай бұрын
Hello, SSLv2 and SSLv3 are now deemed obsolete and insecure as defined by the industry. TLS 1.2 and above is now recommended to be used.
@Bookemon-lo4ho Жыл бұрын
Should I select QWORD if it is for 64bit?
@UnderTheRaiN. Жыл бұрын
no
@vinodkp1 2 жыл бұрын
Hi, I have disabled TLS 1.0 but still showing vulnerability in Nessus scan report
@Isgovern 2 жыл бұрын
Hello, have you disabled the client and server sections? Has the machine been rebooted? Check the results from Nessus and try and compare with your results.
@TheChatterCafe 3 жыл бұрын
was it enabled or disabled when there were no directories and DWORDs ?
@Isgovern 3 жыл бұрын
Hello, by default if there are no entries, the values are enabled by default. Adding the keys with values will disable them.
@TheChatterCafe 3 жыл бұрын
@@Isgovern thank you.
@ultraweapon1004 Жыл бұрын
I have found a website ,.in which TLS 1.0 enabled ,.Is this a Vulnerability? Can I report it?
@Isgovern Жыл бұрын
it's not really a vulnerability, you could recommend to them that they disable it and use tls 1.2 or higher instead and see what happens
@slingerjoe6724 2 жыл бұрын
rebooting the machine for this to work is flawed... what about when you want to disable tls 1.0 and 1.1 on a production server hosting multiple clients? you can't exactly reboot it. Surely Microsoft thought of this? I wouldn't be surprised if they didn't
@Isgovern 2 жыл бұрын
Yeah that's the problem with registry based systems. You may be able to try restarting the Web server service, but that Will also impact service. If it's production ideally you will have load balancers in place and multiple Web servers to keep service up during maintenance windows.
@goolark Жыл бұрын
Thank you. Выебла мозг эта десятая винда. Убрали управлеие протоколом SSL 2.0 из оснастки и что хояешь то и делай. Спасибо тебе добрый человек. сделал файл реестра теппрь просто импортирую его на проблемных машинах.
AccuWeb Hosting
Рет қаралды 21 М.
ОВР Шоу
Рет қаралды 9 МЛН
rajbhatt_TechVlog
Рет қаралды 54 М.
Learn Smart Coding
Рет қаралды 9 М.