In an effort to better secure my organization I have been wanting to disable all SSL protocols below 1.1 on one of my internal servers. The problem I was running into was that some people in my organization still like to use Internet Explorer for some reason.
Well Internet Explorer doesn't enable the use of TLS 1.1 or TLS 1.2 by default for some stupid reason. Call me crazy, but wouldn't you want to have the best security possible enabled by default? I suppose you wouldn't if you were in cahoots with the NSA, but that is another story...
Anyway, so I wanted to make sure everyone who was using Internet Explorer in my organization could still access one of my internet web servers after I disabled TLS 1.0, and SSL 3.0. The way to do that is with a Group Policy Object or GPO right? Well I had a heck of a time trying to find that setting when creating the GPO, but I finally found it under Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Explorer Control Panel > Advanced Page > Turn Off Encryption Support:
I know what you are thinking. I want to add TLS 1.1 and TLS 1.2 support, not remove it! Why the hell is the setting called Turn OFF Encryption Support? Well the answer is you can also disable certain protocols like SSL 2.0 etc.
Anyway, I set mine to allow SSL 3.0, TLS 1.0, TLS 1.1 and TLS 1.2. Not all public sites support TLS 1.1 or TLS 1.2 yet, so I didn't want to remove support for the all of the older protocols yet. you can select which protocols you want to use in the drop down box under Secure Protocol Combinations.
After applying my policy to my computers OU in Active Directory I ran gpupdate /force on my test computer, but noticed the change didn't take place until after a reboot. Still though, it worked like a charm!
Are you using TLS 1.1 or TLS 1.2 in your environment yet? Why or why not? Let us know in the comments!