Skip to main content

TLS/SSL Security Hardening

Purpose

This solution validates and hardens the system's SSL/TLS configuration by disabling insecure protocols (SSL 3.0, TLS 1.0, and TLS 1.1) and ensuring that specified weak cipher suites are disabled for both server and client communications. It also verifies that TLS 1.2 and TLS 1.3 are enabled where supported. Additionally, the solution configures .NET Framework strong cryptography settings to help maintain application compatibility after legacy protocols are disabled. With an Optional settings to either enforce an immediate reboot upon completion of the hardening process or present users with reboot prompts to complete the changes. Solution verifies below Cipher suites :

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

Note : Solution - Reboot Pending Prompt should be imported to use prompt feature for reboot.

Associated Content

ContentTypeFunction
cPVAL TLS HardeningCustom FieldCustom Fields to enable TLS hardening for Workstations and Servers.
cPVAL TLS SSL Hardening RequiredCustom FieldThis custom field is populated by Script - Validate TLS SSL Hardening and flags devices that require TLS/SSL hardening to meet security best practices.
cPVAL Enable Reboot PromptsCustom FieldEnables reboot prompts following TLS Hardening. Requires the Solution - Reboot Pending Prompt to be enabled in the environment.
Validate TLS SSL HardeningScriptValidates that insecure protocols (SSL 3.0, TLS 1.0, TLS 1.1) and specified weak cipher suites are disabled at both the server and client levels on the system, while ensuring TLS 1.2 and TLS 1.3 are enabled when supported, providing a clear PASS/FAIL status without making any changes.
Enforce TLS SSL HardeningScriptEnforces Windows TLS/SSL security hardening by disabling legacy protocols (SSL 3.0, TLS 1.0, and TLS 1.1), enabling supported modern TLS versions (TLS 1.2 and TLS 1.3), configuring .NET Framework strong cryptography settings to help maintain application compatibility when legacy protocols are disabled, removing weak TLS cipher suites, and optionally initiating a reboot or enabling the Solution - Reboot Pending Prompt to notify users that a restart is required for the changes to take effect. Note Custom Field - cPVAL Enable Reboot Prompts needs to be selected and Solution - Reboot Pending Prompt should be imported to use prompt feature for reboot.
Execute - Validate TLS SSL Hardening - WorkstationsScheduled AutomationTriggers Validate TLS SSL Hardening script on windows workstations .
Execute - Validate TLS SSL Hardening - ServersScheduled AutomationTriggers Validate TLS SSL Hardening on windows Servers.
Execute - Enforce TLS SSL Hardening - WorkstationsCompound ConditionTriggers Enforce TLS SSL Hardening script on windows workstations where cPVAL TLS Hardening is either set to Windows Workstations, Windows Devices.
Execute - Enforce TLS SSL Hardening - ServersCompound ConditionTriggers Enforce TLS SSL Hardening script on windows servers where cPVAL TLS Hardening is either set to Windows Servers, Windows Devices.

Implementation

FAQ

Q. Can the scripts be used independently?

  • Yes. Both scripts can be used independently, however, the associated custom fields must be imported into the environment for the scripts to function correctly.

Q. Can Enforce TLS SSL Hardening run automatically to enforce Hardening

  • No, Validate TLS SSL Hardening scripts should be executed as it marks the machines that requires SSL Hardening.

Changelog

2026-06-24

  • Updated the available options for custom field cPVAL TLS Hardening
  • Updated the compound condition configurations to use the updated options of the custom field.

2026-06-18

  • Initial version of the document