Enforcing TLS, SSL, and cipher settings on workstation and server?

Don't know if this should be in the Operating Systems forum or if this area is appropriate.

I have a Microsoft domain-controlled network, do I need to be disabling vulnerable or deprecated web encryption protocols via group policy on workstations, or do I need to simply ensure my web servers are configured correctly, or both?

Both. However it's much harder to force stuff on the client side because of legacy applications. I still have to enable SSLv3 from time to time to login to really old interfaces.

The general sentiment right now is that you should be disabling anything < TLS1.1 on all of your servers, and I would say you can disable anything < TLS1.0 on your workstations. If you can disable TLS 1.0 on your workstations great, but there certainly are going to be applications impacted by it. One of the biggest gotchas comes from RDP. If you disabled TLS1.0 on your Windows 7 workstations, you need to make sure you have updated the client to the latest version or you will break RDP as it relied on TLS1.0 when it was released.

For a MiTM attack, disabling the weak ciphers will be the best option for your workstations. Even on Server 2016 / Windows 10 there are some weak algorithms enabled by default that you can turn off so someone can't do a downgrade attack. RC4 can certainly be turned off for example.

Fot the NIST guidelines:

https://www.nist.gov/news-events/ne...ide-use-transport-layer-security-tls-networks

And

http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf

Also check this tool: https://www.nartac.com/Products/IISCrypto

As bman212121 said, you will have to watch for apps that won't support tls1.2, or, even worse, requires an upgrade to support it, and then, in order to run the new software, you have to upgrade your hardware. Research everything and price it out up front, and hold your vendors feet to the fire.