> For the complete documentation index, see [llms.txt](https://docs.devolutions.net/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.devolutions.net/server/getting-started/security-checklist/disable-legacy-tls.md). # Disable legacy TLS Disabling deprecated TLS protocol versions is an essential step to ensure secure communication between Devolutions Server components. Legacy protocols such as **SSL 2.0**, **SSL 3.0**, **TLS 1.0**, and **TLS 1.1** are vulnerable and should not be used in production environments. #### Recommended configuration * Disable SSL and legacy TLS versions on all systems hosting Devolutions Server components. Only TLS 1.2 and TLS 1.3 should remain enabled. * Review and restrict cipher suites to prevent the use of weak or outdated algorithms. Ensuring modern and secure cipher suites reduces the risk of downgrade attacks. * Validate compatibility before deployment. Some older applications or clients may not support modern TLS versions. Testing in a controlled environment is recommended to avoid service disruption. #### Implementation guidelines The following methods can be used to disable vulnerable protocol versions on Windows Server: * Group Policy: Configure TLS settings under ***Computer Configuration*** – ***Administrative Templates*** – ***Network*** – ***SSL Configuration Settings.*** * Registry configuration: TLS protocols can be enabled or disabled manually by adjusting the corresponding keys under:\ `HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols` * IIS configuration: Ensure that only secure TLS versions and cipher suites are active for all web-based components. {% hint style="info" %} Microsoft has written a guide on [TLS version enforcement capabilities now available per certificate binding on Windows Server 2019.](https://learn.microsoft.com/en-us/security/engineering/disable-legacy-tls) {% endhint %} #### Compliance and best practices Disabling legacy TLS is consistent with the requirements of several security standards. This helps reduce exposure to known protocol vulnerabilities and improves the overall security posture of the platform. #### Verification After applying the configuration, it is recommended to validate the setup using a TLS scanning tool to ensure that only approved protocol versions and cipher suites are enabled. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.devolutions.net/server/getting-started/security-checklist/disable-legacy-tls.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.