How to disable SSL v2 and SSL v3 on Windows Server via Group Policy

Icons3[1]In this article I will show you how to disable the SSL v2 and SSL v3 protocols on the Windows Server so that it no longer offers the depreciated (a.k.a. Broken) SSL v2 and v3 security protocols. It also does not hurt if you apply this policy settings to your Windows client computers in case any of them have IIS with digital certificate enabled.

Note: That if you are running a non Microsoft web server such as Apache then you will need to contact that vendor for specific instructions on how to disabled the protocol.

In my previous blog post How to disable SSL v2 and SSL v3 on the client via Group Policy I explain why SSL v2 and v3 is bad and I showed you how to disable these protocols  on the client. In this post I show you how to disable it in the OS so that the web server, LDAP or any other service that can uses SSL/TLS will only use TLS v1.0 or greater.

The first step will be to create a Group Policy that is targeted to the servers that you want to disable SSL. Then open up Computer Configuration > Preferences > Windows Settings > Registry. Then create two new “Registry Items” as per follows:

Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server

Name: Enabled

Value: Reg_Dword 0

image

Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server

Name: Enabled

Value: Reg_Dword 0

image

Restart the server and you should now be done.

Alternatively, if your server is not domain joined then you can save the below registry key information as a .Reg file and just manually apply it to your server.

Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server] “Enabled”=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server] “Enabled”=dword:00000000

Once you have applied the setting to the server it would be best to reboot to ensure that the setting is properly applied. If you web server is on the internet then you can ensure that is has worked by using the http://ssllabs.com/ web site to perform a test against you site.

As you can see with the examples below, having SSL v2 and v3 enabled can make the world of difference in the of security of your web site.

image

image

Additional references: http://disablessl3.com/

How to disable SSL v2 and SSL v3 on the client via Group Policy

This article will show you how to disabled SSL v2 and SSL v3 on browsers on the client using Group Policy.  SSL v2 and SSL v3 protocols for a long time has been considered to be broken protocols thanks to the many vulnerabilities found in these protocols like BEAST and POODLE to name but a few. While all newer browsers no longer have these protocols supports enabled by default you still might be But many web sites sill support these protocols due to legacy configuration. Therefore it’s still a good idea to turn off these protocols on the web browsers so that clients are never forced into using these old and insecure protocols.

It should be noted that while I say that this is a for browsers on the client these settings should be applied to all windows computers in your organisation whether they are servers or workstations. Now I would ALWAYS say that using a web browser on a server is a bad idea, in fact it should be blocked. However, just be realistic some admins can and do from time to time use browsers on servers meaning its still important to implement this lockdown on all your windows computers.

Also, in case you were confused, SSL and TLS are pretty much the same thing. Just think of TLS 1.0 as SSL v4 and so on. Most people still think SSL when they see that padlock in the address bar, it just that mostly it is now secured using the TLS protocols.

To disable SSL v2 and SSL v3 its best to create a Computer based Group Policy settings that applies at the top level of your domain. In GPMC navigate to Computers Configuration > Policies > Administrative Templates > Windows Components > Internet Explore > Internet Control Panel > Advanced Page and then open the policy setting called “Turn off encryption support”.

Once you have the policy open you will notice there is a drop down option that will give you 32 different permutation of having enabled or disabling SSL and TLS.

Generally most sites on the Internet with encryption support TLS 1.0 or later. So the best bet would be to select the option “Use TLS 1.0, TLS 1.1, and TLS 1.2”.

image

In case you were wondering, yes, this will break any site for your users that only uses SSL v3 or earlier. But its probably best that you don’t use those site as they either don’t care or don’t understand about security.

However, if you do have a any site that your users absolutely must access that still uses SSL v3 then you can still exclude the computer from the policy by following my other blog post at http://www.grouppolicy.biz/2010/05/how-to-exclude-individual-users-or-computers-from-a-group-policy-object/ .

Now that you have disable SSL on your client the next thing to look at is disabling the protocol on all you internal (and external servers). In my next post I will show you how to also disable SSL (and enabled TLS 2.0) on all your servers using Group Policy.

Using Edge in the Enterprise – Ignite Australia 2017

This is a video of the Using Edge in the Enterprise session I did at Ignite Australia 2017. This session covers the recent improvements in Edge in Windows 10 and how the new Group Policy features can enabled it to be used in the Enterprise.

I also cover some of the new features such as Favourite Synchronisation and Windows Defender Application Guard that will be coming out soon to sandbox the Edge process for improved security.

How to synchronise Internet Explorer Favourites with Edge

In the latest release of Windows 10 insider preview (Build 15002) there is a new policy setting added that allows you to sync the IE Favourites with Edge. This policy setting allow you as an IT administrator to not have to setup the browser favourites in multiple locations thus reducing duplication of effort.

Previously you may have had Group Policy Preferences Shortcuts configured to manage the IE Favourites (see below).

image

However, this only configured the Favourites in IE and not Edge.

image

It was possible to configured Edge Favourites however this was a separate policy setting called “Configure Favourites”.

image

However this still meant that you needed to maintain a separate Favourites List for each browser which normally meant a double of up settings changes when ever they needed to be updated.

image

So to remove the need to duplicate Favourite configuration when starting to use Edge, the new policy setting enables the feature to sync favourites called “Keep favourites in sync between Internet Explorer and Microsoft Edge”

image

And once enabled you now have all the IE Favourites appear in the Edge browser in almost real time during the next Group Policy updated.

image

Tip: As of this build it appear that this policy does preserve the current Edge configured Favourites, but if you deleted these they do not come back.

Updated Group Policy Health Reporter

The post Updated Group Policy Health Reporter appeared first on SDM Software | Configuration Experts.

Happy New Year Everyone! I hope everyone made it safely through the holidays. To start off 2017, we’ve been working to update some of our existing freeware tools. The first beneficiary of that work is our Group Policy Health Reporter utility, now at version 1.9 (see screenshot):

Group Policy Health Reporter 1.9

Group Policy Health Reporter 1.9

This new version fixes issues we had reporting against Windows 10 and Server 2016, upgrades the utility to 64-bit, upgrades the required .Net Framework version to 4.0 and cleans up a weird issue that seems to have been introduced at some point in Windows 7 and 2008-R2.

Namely, one of the pieces of information we return is the list of GPOs that have been processed by a computer or user, and those corresponding Group Policy Container (GPC) and Group Policy Template (GPT) versions. The idea here is that, in the days of NTFRS SYSVOL replication, you often got into scenarios where the AD part of the GPO replicated to DCs at a different rate (or sometimes not at all!) than the SYSVOL part–resulting in GPOs being incorrectly processed by some clients. Health Reporter has always called out this difference as a potential problem, by mining information in the client’s registry under HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy. However, at some point Windows 7 and 2008-R2 stopped properly updating the GPT version in that registry metadata–always reporting it as ‘FFFF’, which means that the GPT version couldn’t be resolved. This led to false positives in GP Health Reporter that were annoying at best. So we’ve essentially now cleaned that up so that these errors don’t get flagged for Windows 7 and 2008-R2 target systems. Not a perfect solution, since you could still have SYSVOL replication issues that could be completely legitimate, but for now, at least a partial solution.

And of course, if you need a more full-featured, enterprise-strength GP reporting solution that remotely grabs GP health and even SETTINGs from your Windows systems, our commercial Group Policy Compliance Manager is your solution!

Enjoy!

Darren Mar-Elia

The post Updated Group Policy Health Reporter appeared first on SDM Software | Configuration Experts. from SDM Software | Group Policy Management & Administration Tools http://ift.tt/2jrMAuW via IFTTT