Written by Since there has been a lot of writing in Norwegian media about Norwegian Government pages that still uses old protocols and ciphers, I decided to post a PowerShell script I use when I setup Windows Servers in order to disable the old protocols and ciphers.
NRK has written in detail how they conducted their research here https://nrkbeta.no/2016/03/30/slik-undersokte-nrk-offentlige-nettsteder/ (In Norwegian). I must say it is a great write-up from NRK and very interesting to read.
Digi did also write about it here: http://www.digi.no/sikkerhet/2016/03/30/falsk-trygghet-pa-offentlige-nettsider (In Norwegian)
The PowerShell script I use can be downloaded here https://github.com/api0cradle/PowershellScripts/blob/master/Security/Disable-Legacy-Protocols-and-Ciphers.1.0.ps1 on my Github page.
You need to run this script elevated since it writes registry keys to sensitive locations. The script will check for elevation and give you a warning if you are not elevated. If your server is older than 2012 R2 you also need to install this hotfix before you run this script in order for it to work: https://support.microsoft.com/en-us/kb/2868725
After the script is run and you have rebooted your server the legacy protocols SSL3, SSL2 and TLS1.0 should be disabled as well as the RC4 ciphers. The registry should look like this:
I will not go into detail about why should disable this, but trust my when I say that it is for better security in your encryption (Poodle etc). If you now run a new check against SSL Labs your results should have been improved.
https://www.ssllabs.com/ssltest/index.html
In Enterprise environments I use Group Policy Preferences to write the registry keys to all the servers instead of my script.
If you use Linux hosted system I will recommend you to Google on how to disable it on your system.
Hope this will help you become more Secure. 🙂