Afiniti Exchange AD
asked on
Impact of disabling TLS 1.0.
Impact of disabling TLS 1.0 on windows 7 in the corporate network. What components/features will be impacted.
Here's how this works.
TLSv1.0 + TLSv1.1 are both deprecated + should be retired on all servers - Web, mail, etc...
Once TLSv1.0 + TLSv1.1 are disabled/retired on all server instances, any outdated clients which haven't been updated in years may have problems connecting to your servers.
Any clients so old they have problems connecting should be upgraded or replaced with newer clients (Web/Mail browsers).
TLSv1.0 + TLSv1.1 are both deprecated + should be retired on all servers - Web, mail, etc...
Once TLSv1.0 + TLSv1.1 are disabled/retired on all server instances, any outdated clients which haven't been updated in years may have problems connecting to your servers.
Any clients so old they have problems connecting should be upgraded or replaced with newer clients (Web/Mail browsers).
Disabling TLS 1.0 from a client level means connecting to any resources from the Windows 7 machines with TLS 1.0 disabled will enforce a higher level (typically TLS 1.2). Which means wherever you are connecting to needs to have that level enabled. Thankfully most sites today do, since as mentioned TLS 1.0 and TLS 1.2 were recommended disabled due to Poodle vulnerability. But be cautioned that some sites still operate on TLS 1.0 so you may have connectivity issues.
If you want to test the site and it is available publicly, then you can do that here: https://www.ssllabs.com/ssltest/
If you want to test the client you can do so here: https://www.howsmyssl.com/
If you want to test the site and it is available publicly, then you can do that here: https://www.ssllabs.com/ssltest/
If you want to test the client you can do so here: https://www.howsmyssl.com/
There are other potential issues, such as Outlook and RDP. It's not just web browsers. We had issue with Windows 7 not having updated RDP client. The older RDP client doesn't support TLS 1.1 or 1.2.
You are talking about disabling a connection protocols on a client system.
The impact will depend on the resources, application servers.
In short the change will prevent applications running on the Windows 7 client from accessing older systems where tls1.0 might be the only available protocol.
What is the reason you are considering this move?
The Windows system presumed to be a client system, I.e. You do not have iis, SQL etc Instalked on it such that it is functionally a "server" on which other systems in the environment rely upon.
If this system functions as a "server" disabling the tls1.0 would require all other systems to support the other available cipher/encryption.
The impact will depend on the resources, application servers.
In short the change will prevent applications running on the Windows 7 client from accessing older systems where tls1.0 might be the only available protocol.
What is the reason you are considering this move?
The Windows system presumed to be a client system, I.e. You do not have iis, SQL etc Instalked on it such that it is functionally a "server" on which other systems in the environment rely upon.
If this system functions as a "server" disabling the tls1.0 would require all other systems to support the other available cipher/encryption.
as has been stated above we cant offer definitive answers without knowing what systems you rely on.
As a generic answer however:
TLS 1.0 is primarily used for web site connectivity but is also used for connections within many applications.
Disabling it will have no effect at all if none of the websites/applications you use require it.
But what if they do?
Any websites or applications relying on TLS1.0 will either stop working or will show connections errors.
I therefore recommend taking a look at any connectivity your system relies on, particularly using port 443 (HTTPS) before disabling TLS1.0.
If you struggle to be sure, disable it on a small number of machines across the business first as a test to see what is affected.
As a generic answer however:
TLS 1.0 is primarily used for web site connectivity but is also used for connections within many applications.
Disabling it will have no effect at all if none of the websites/applications you use require it.
But what if they do?
Any websites or applications relying on TLS1.0 will either stop working or will show connections errors.
I therefore recommend taking a look at any connectivity your system relies on, particularly using port 443 (HTTPS) before disabling TLS1.0.
If you struggle to be sure, disable it on a small number of machines across the business first as a test to see what is affected.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hi Afiniti Exchange AD,
Just a few months ago I wrote an article related to this issue. It has steps for enabling TLS 1.1+ on your web browsers, along with the compatibility of those browsers.
The article is here: https://www.experts-exchan
As far as disabling TLS 1.0, you shouldn't run into many problems with websites, as most of the websites that use TLS, have disabled 1.0 in order to stay PCI compliant. It would be hard to say without knowledge of your infrastructure if that would affect your client/server architecture. However, as far as I know, TLS versions are generally backwards compatible, allowing you to use higher versions without hiccup. Of course that is common practice for web servers, and again, would be hard to say if it would affect your infrastructure without knowledge of it.
Hopefully this helps,
Devin Becker
Just a few months ago I wrote an article related to this issue. It has steps for enabling TLS 1.1+ on your web browsers, along with the compatibility of those browsers.
The article is here: https://www.experts-exchan
As far as disabling TLS 1.0, you shouldn't run into many problems with websites, as most of the websites that use TLS, have disabled 1.0 in order to stay PCI compliant. It would be hard to say without knowledge of your infrastructure if that would affect your client/server architecture. However, as far as I know, TLS versions are generally backwards compatible, allowing you to use higher versions without hiccup. Of course that is common practice for web servers, and again, would be hard to say if it would affect your infrastructure without knowledge of it.
Hopefully this helps,
Devin Becker
When you start disabling it, or any other setting for that matter, use a phase-in policy
Phasing in a Group Policy
https://www.experts-exchange.com/articles/29716/Phasing-in-a-Group-Policy.html
Phasing in a Group Policy
https://www.experts-exchange.com/articles/29716/Phasing-in-a-Group-Policy.html
what is the version of your servers? and what services do you have?
We can't really answer this question with zero information from your end.