Disabling deprecated TLS protocol versions is an essential step to ensure secure communication between Devolutions Server components. Legacy protocols such as SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.1 are vulnerable and should not be used in production environments.
Disable SSL and legacy TLS versions on all systems hosting Devolutions Server components. Only TLS 1.2 and TLS 1.3 should remain enabled.
Review and restrict cipher suites to prevent the use of weak or outdated algorithms. Ensuring modern and secure cipher suites reduces the risk of downgrade attacks.
Validate compatibility before deployment. Some older applications or clients may not support modern TLS versions. Testing in a controlled environment is recommended to avoid service disruption.
The following methods can be used to disable vulnerable protocol versions on Windows Server:
Group Policy: Configure TLS settings under Computer Configuration – Administrative Templates – Network – SSL Configuration Settings.
Registry configuration: TLS protocols can be enabled or disabled manually by adjusting the corresponding keys under:
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\ProtocolsIIS configuration: Ensure that only secure TLS versions and cipher suites are active for all web-based components.
Microsoft has written a guide on TLS version enforcement capabilities now available per certificate binding on Windows Server 2019.
Disabling legacy TLS is consistent with the requirements of several security standards. This helps reduce exposure to known protocol vulnerabilities and improves the overall security posture of the platform.
After applying the configuration, it is recommended to validate the setup using a TLS scanning tool to ensure that only approved protocol versions and cipher suites are enabled.
Share your feedback