SSL 2

Disabling Deprecated SSL and TLS versions with Group Policy

While working on a client’s system today, I noticed that some newer sites were pointing to an error that went something like this:

This page can’t be displayed
Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to again. If this error persists, it is possible that this site uses an unsupported protocol. Please contact the site administrator.

Sample_Error

This was on a site that should not have caused any issues, Southwest Airlines. A quick check showed that SSL3 and TLS 1.0 were both enabled but nothing else. SSLv3 and TLS 1.0 are insecure and with SSLv3 being fully deprecated. A change was needed however their needs required keeping the settings in place and adding TLS 1.1 and TLS 1.2 in as accessible without causing issues to end users.

Initial_settings

Enter Group Policy

There are two ways to go about this. One is through Group Policy User Preferences and the other is through hardened Computer Policies. While both accomplish the same goal, they do so in different ways. If you require the users be able to disable or re-enable other versions and you simply want to set defaults, User Preferences will be your recommendation. If you are looking for something more secure and unchangeable, go with computer policies.

User Preferences

If your requirements put your solution as User Preferences, open Group Policy management and either create a new policy or edit an existing policy. Make sure your policy is linked appropriately. Next navigate to User Configuration -> Preferences -> Control Panel Settings -> Internet Settings and Create or Edit an Internet Explorer 10 setting.

User_Preferences

Once opened, go to Advanced tab and select the versions you wish to add or subtract.

UserPreferencesSettings

Apply and perform a group policy update on an end point and user covered by this group policy and verify the settings have been updated. You will notice that the settings have been updated but remember, these are preference and not hard settings. An end user can make adjustments and changes that can not be fully controlled after the setting is applied.

UserPreferencesInAction

Computer Policies

If you requirements put your solution as Computer Policy, open Group Policy management and either create a new policy or edit an existing policy. Make sure your policy is linked appropriately. Navigate to Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Advanced Page and find “Turn off encryption support.” While this name sounds scary, never fear as you are only turning off encryption support as you see fit and ensuring only those protocols that you deem needed are enabled!

ComputerPolicyDisableEncryptionSupport

Enable the setting if it is not already enabled and then select the combination of security Protocols you wish to use, in this case SSL 3.0, TLS 1.0, TLS 1.1, and TLS 1.2.

ComputerPolicySettingsEnforced

Apply and perform a group policy update on an end point covered by this group policy and verify the settings have been updated.

ComputerPolicyInAction

You will notice that the settings have been updated and can not be changed. This will prevent users from select insecure or unneeded protocols.

Hopefully you are able to use these settings to help enforce security across your organization.

Remember, tips are always appreciated – BTC 17QJoiG7uWvumPjpvECXZgi5GqSPUbYf21

Tagged , , , , , , , , ,