Recommended vs required support can be two different things. If you are required to maintain support for TLSv1, allowing BEAST vulneraqble CBC ciphers is the better option vs RC4(SSL Labs grade will be higher). If you are not required to support TLSv1(PCI-DSS no longer allows TLSv1 for new implementations), then disabling TLSv1 and RC4 are the best course of action. Disabling 3DES, is something all on its own. If you can afford to disable TLSv1 then you can probably afford to disable 3DES as well as IE on windows XP will be left in the cold by disabling either one. 'DEFAULT:!RC4:!3DES:!TLSv1' will leave you in a good security posture, but users still wanting to use IE on windows XP will not be able to connect(they can still use chrome or firefox).