none
TLS Settings Changed, But I Didn't Do This. RRS feed

  • Question

  • Hello,

    I'm running Windows 7 Professional 32 bit, with all Windows updates and Kaspersky Internet Security installed and updated. We suddenly started getting a phishing warning message every time my husband tried to log on to his Outlook Web Application from home. I use Outlook that's part of Office 2010. I checked the status of SSL/TLS settings of the Internet Explorer browser, and discovered that only TLS 1.0 was checked.

    I read on blogs.msdn.com (published 11/13) that TLS 1.0, 1.1, and 1.2 are enabled by default on Internet Explorer 11. I haven't been tinkering with these settings. BTW, TLS 1.0, 1.1, and 1.2 are all checked/enabled in my husband's user account settings, and in those of the Administrator account. It's only mine that are different, and I am the main user of this computer. What could possibly have changed these settings? I don't run anything in Compatibility Mode.

    I have run a full scan in Kaspersky Internet Security, the Microsoft Malicious Software Removal Tool, and the Microsoft Safety Scanner, AKA the Microsoft Emergency Response Tool. Nothing shows anything amiss. nstat -ano shows no rogue connections on the network.

    Is the change in these settings something to be concerned about? Should we have TLS 1.0 disabled due to BEAST? I appreciate your help and advice. 

    Wednesday, August 26, 2015 4:30 PM

Answers

  • Hi,

    Go to the registry location HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings

    A DWORD named SecureProtocols and assign a value of 2688 (TLS 1.0 1.2 1.1 all checked) or 128 (only TLS 1.0 checked).

    We could use process monitor to monitor this registry to find out the culprit.

    If you just need this setting never be changed, here is a group policy for that

    Administrative Templates > Windows Components > Internet Explorer > Internet Explorer Control Panel > Advanced Page > Turn Off Encryption Support

    Enable it and chose the TLS 1.0 1.1 and 1.2->apply

    Then setting will be locked and never changed back.

    process monitor

    https://technet.microsoft.com/en-us/library/bb896645.aspx?f=255&MSPPError=-2147217396

    Regards

    D. Wu


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    • Marked as answer by Tergiversada Tuesday, September 1, 2015 4:22 PM
    Thursday, August 27, 2015 3:04 AM
    Moderator
  • Hi,

    You suspect about Spyware is possible, some software might change this settings to lower the Internet Explorer Security level. But I don’t think that happened due to low level of encryption. Nevertheless, from now on if the setting never be changed back again, all good to go, but if this issue happens again, please apply the policy as mentioned in my first reply. Or we can monitor that to find out which process touched the registry entry, but believe me, it means lots of time and work.

    Regards,

    D. Wu


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    • Marked as answer by Tergiversada Tuesday, September 1, 2015 4:22 PM
    Monday, August 31, 2015 2:10 AM
    Moderator

All replies

  • Hi,

    Go to the registry location HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings

    A DWORD named SecureProtocols and assign a value of 2688 (TLS 1.0 1.2 1.1 all checked) or 128 (only TLS 1.0 checked).

    We could use process monitor to monitor this registry to find out the culprit.

    If you just need this setting never be changed, here is a group policy for that

    Administrative Templates > Windows Components > Internet Explorer > Internet Explorer Control Panel > Advanced Page > Turn Off Encryption Support

    Enable it and chose the TLS 1.0 1.1 and 1.2->apply

    Then setting will be locked and never changed back.

    process monitor

    https://technet.microsoft.com/en-us/library/bb896645.aspx?f=255&MSPPError=-2147217396

    Regards

    D. Wu


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    • Marked as answer by Tergiversada Tuesday, September 1, 2015 4:22 PM
    Thursday, August 27, 2015 3:04 AM
    Moderator
  • Thank you for your prompt reply. Last night when I discovered that only TLS 1.0 was checked, I immediately enabled TLS 1.1 and 1.2, so that all three are now checked. I just now looked at the registry and the DWORD value of Secure Protocols is indeed 2688.

    My main concern was how the setting had changed from the defaults--I didn't know whether it was possible for a malicious process to do so, or what to look for since all virus scans had come back clean. Is it possible that my system has been compromised due to this low level of encryption? I don't know how long it has been set this way. I appreciate your help.

     
    Thursday, August 27, 2015 11:57 PM
  • Hi,

    You suspect about Spyware is possible, some software might change this settings to lower the Internet Explorer Security level. But I don’t think that happened due to low level of encryption. Nevertheless, from now on if the setting never be changed back again, all good to go, but if this issue happens again, please apply the policy as mentioned in my first reply. Or we can monitor that to find out which process touched the registry entry, but believe me, it means lots of time and work.

    Regards,

    D. Wu


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    • Marked as answer by Tergiversada Tuesday, September 1, 2015 4:22 PM
    Monday, August 31, 2015 2:10 AM
    Moderator
  • Thank you for your reply. I will monitor the settings and if they should change again, I will apply the policy as mentioned above and possibly look into process monitor. Hopefully it won't come to that. Thank you for your help!
    Tuesday, September 1, 2015 4:21 PM