none
GPO to disableSSL3.0

    Question

  • I am going to create a GPO to disable SSL 3.0 using the following:

    • Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, and TLS 1.2 for Internet Explorer in Group Policy

    You can disable support for the SSL 3.0 protocol in Internet Explorer via Group Policy by modifying the Turn Off Encryption Support Group Policy Object.

    1. Open Group Policy Management.
    2. Select the group policy object to modify, right click and select Edit.
    3. In the Group Policy Management Editor, browse to the following setting:

    Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Advanced Page -> Turn off encryption support

    1. Double-click the Turn off Encryption Support setting to edit the setting.
    2. Click Enabled.
    3. In the Options window, change the Secure Protocol combinations setting to "Use TLS 1.0, TLS 1.1, and TLS 1.2".
      1. Note It is important to check consecutive versions. Not selecting consecutive versions (e.g. checking TLS 1.0 and 1.2, but not checking 1.1) could result in connection errors.
    4. Click OK.

    I am going to link the GPO to the OU where my computers are located.  My question is should I also link this GPO to the domain controllers OU?  Thanks.

    Thursday, December 04, 2014 6:41 PM

Answers

  • If this is in regards to POODLE, I would recommend yes, just to ensure your environment is on the same level.

    I have not seen or heard of any issue with DC's/Exchange/etc.

    Thursday, December 04, 2014 6:45 PM

All replies

  • If this is in regards to POODLE, I would recommend yes, just to ensure your environment is on the same level.

    I have not seen or heard of any issue with DC's/Exchange/etc.

    Thursday, December 04, 2014 6:45 PM
  • I have also gone through disabling weak Ciphers along with SSL as extra precaution. But, it would require a restart to take affect.

    Windows Registry Editor Version 5.00
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
    "Enabled"=dword:00000000
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]
    "Enabled"=dword:00000000
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
    "Enabled"=dword:00000000
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]
    "Enabled"=dword:00000000
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
    "Enabled"=dword:00000000
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
    "Enabled"=dword:00000000
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128]
    "Enabled"=dword:00000000
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
    "Enabled"=dword:00000000
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
    "Enabled"=dword:00000000
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
    "Enabled"=dword:00000000

    Thursday, December 04, 2014 6:48 PM
  • Hi,

    In addition to the suggestions provided by The Grim, regarding SSL 3.0, the following blog can be referred to for more information.

    POODLE Vulnerability: Padding Oracle on Downgraded Legacy Encryption

    http://blogs.msdn.com/b/kaushal/archive/2014/10/22/poodle-vulnerability-padding-oracle-on-downgraded-legacy-encryption.aspx

    Best regards,

    Frank Shen


    Monday, December 29, 2014 2:10 AM
    Moderator