The National Security Agency (NSA) has released a Cybersecurity Information (CSI) sheet on eliminating obsolete Transport Layer Security (TLS) configurations. Although the guidance is not exactly new, the information sheet identifies strategies to detect obsolete cipher suites and key exchange mechanisms, discusses recommended TLS configurations, and provides remediation recommendations for organizations using obsolete TLS configurations. What I do like about the guidance is that they offer advice on traffic blocking.
Re: NSA Releases Guidance on Eliminating Obsolete TLS
I saw this today as it popped up on the Reddit sysadmin forum. I'll agree that it's one of the better government documents I've seen on the topic. More straightforward with what you should do and lacks the cover pages and other language not needed to mitigate, much more straightforward. Also appreciate the list to many scanners on the github link. There were a few in there I hadn't used and like the results page more than the ones I had been using.
For those not familiar, the best way to implement, in Windows IIS servers at least, is to utilize the IIS Crypto utility. That will save you from modifying multiple registry keys and makes backing up the original keys easy.